diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2005-07-04 01:54:12 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2005-07-04 01:54:12 +0000 |
| commit | 111f17112e935f1768e0da7a24ee15f428f61872 (patch) | |
| tree | b1f09cb1f6a1931201c21470d665ce24d382e1b5 /usr.bin/sup | |
| parent | f1530fb5e1f6818aafdfeef038b0b7a755aa35e0 (diff) | |
make these use setres[ug]id for simple privilege dropping;
ok deraadt@ millert@ moritz@
Diffstat (limited to 'usr.bin/sup')
| -rw-r--r-- | usr.bin/sup/src/run.c | 14 | ||||
| -rw-r--r-- | usr.bin/sup/src/supfilesrv.c | 26 |
2 files changed, 18 insertions, 22 deletions
diff --git a/usr.bin/sup/src/run.c b/usr.bin/sup/src/run.c index b49a4bdc668..c96a592dfa8 100644 --- a/usr.bin/sup/src/run.c +++ b/usr.bin/sup/src/run.c @@ -1,4 +1,4 @@ -/* $OpenBSD: run.c,v 1.13 2002/06/12 06:07:16 mpech Exp $ */ +/* $OpenBSD: run.c,v 1.14 2005/07/04 01:54:10 djm Exp $ */ /* * Copyright (c) 1991 Carnegie Mellon University @@ -170,15 +170,19 @@ dorun(name, argv, usepath) pid_t pid; struct sigaction ignoresig, intsig, quitsig; int status; + uid_t uid; + gid_t gid; if ((pid = fork()) == -1) return(-1); /* no more process's, so exit with error */ if (pid == 0) { /* child process */ - setegid(getgid()); - setgid(getgid()); - seteuid(getuid()); - setuid(getuid()); + uid = getuid(); + gid = getgid(); + if (setgroups(1, &gid) == -1 || + setresgid(gid, gid, gid) == -1 || + setresuid(uid, uid, uid) == -1) + _exit(0377); if (usepath) execvp(name,argv); else diff --git a/usr.bin/sup/src/supfilesrv.c b/usr.bin/sup/src/supfilesrv.c index 31709e08f20..e90432e1bd7 100644 --- a/usr.bin/sup/src/supfilesrv.c +++ b/usr.bin/sup/src/supfilesrv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: supfilesrv.c,v 1.34 2004/05/31 15:48:26 pedro Exp $ */ +/* $OpenBSD: supfilesrv.c,v 1.35 2005/07/04 01:54:10 djm Exp $ */ /* * Copyright (c) 1992 Carnegie Mellon University @@ -1852,14 +1852,10 @@ changeuid(namep, passwordp, fileuid, filegid) #if CMUCS if (setgroups(grps[0], &grps[1]) < 0) logerr("setgroups: %%m"); - if (setegid((gid_t)grp->gr_gid) < 0) - logerr("setegid: %%m"); - if (setgid((gid_t)grp->gr_gid) < 0) - logerr("setgid: %%m"); - if (seteuid(pwd->pw_uid) < 0) - logerr("seteuid: %%m"); - if (setuid(pwd->pw_uid) < 0) - logerr("setuid: %%m"); + if (setresgid(grp->gr_gid, grp->gr_gid, grp->gr_gid) < 0) + logerr("setresgid: %%m"); + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) + logerr("setresuid: %%m"); #else /* CMUCS */ #ifdef HAS_LOGIN_CAP if (setusercontext(NULL, pwd, pwd->pw_uid, LOGIN_SETALL) < 0) @@ -1867,18 +1863,14 @@ changeuid(namep, passwordp, fileuid, filegid) #else if (initgroups(pwd->pw_name,pwd->pw_gid) < 0) return ("Error setting group list"); - if (setegid(pwd->pw_gid) < 0) - logerr("setegid: %%m"); - if (setgid(pwd->pw_gid) < 0) - logerr("setgid: %%m"); + if (setresgid(pwd->pw_gid, pwd->pw_gid, pwd->pw_gid) < 0) + logerr("setresgid: %%m"); #ifndef NO_SETLOGIN if (setlogin(pwd->pw_name) < 0) logerr("setlogin: %%m"); #endif - if (seteuid(pwd->pw_uid) < 0) - logerr("seteuid: %%m"); - if (setuid(pwd->pw_uid) < 0) - logerr("setuid: %%m"); + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) + logerr("setresuid: %%m"); #endif /* HAS_LOGIN_CAP */ #endif /* CMUCS */ return (NULL); |