diff options
| author | Ted Unangst <tedu@cvs.openbsd.org> | 2015-10-15 21:20:10 +0000 |
|---|---|---|
| committer | Ted Unangst <tedu@cvs.openbsd.org> | 2015-10-15 21:20:10 +0000 |
| commit | e241233dcbb5c77584d2d483297c7f037489707e (patch) | |
| tree | fb1aef2d13c02bf9bdc40924c82078c88e89982b | |
| parent | 464413cd382afe86c7987a28a2f64e2696f417e7 (diff) | |
now with _rebound user, we can try a little harder at privdrop
| -rw-r--r-- | usr.sbin/rebound/rebound.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/usr.sbin/rebound/rebound.c b/usr.sbin/rebound/rebound.c index b8495ff73a3..2f9eee919c0 100644 --- a/usr.sbin/rebound/rebound.c +++ b/usr.sbin/rebound/rebound.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rebound.c,v 1.5 2015/10/15 20:58:14 tedu Exp $ */ +/* $OpenBSD: rebound.c,v 1.6 2015/10/15 21:20:09 tedu Exp $ */ /* * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> * @@ -316,7 +316,10 @@ launch(const char *confname, int ud, int ld, int kq) return child; } - pwd = getpwnam("nobody"); + if (!(pwd = getpwnam("_rebound"))) { + logmsg(LOG_DAEMON | LOG_ERR, "getpwnam failed"); + exit(1); + } if (chroot("/var/empty") || chdir("/")) { logmsg(LOG_DAEMON | LOG_ERR, "chroot failed (%d)", errno); @@ -324,7 +327,12 @@ launch(const char *confname, int ud, int ld, int kq) } setproctitle("worker"); - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + if (setgroups(1, &pwd->pw_gid) || + setresgid(pwd->pw_gid, pwd->pw_gid, pwd->pw_gid) || + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid)) { + logmsg(LOG_DAEMON | LOG_ERR, "failed to privdrop"); + exit(1); + } close(kq); |