diff options
| -rw-r--r-- | usr.sbin/rebound/rebound.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/usr.sbin/rebound/rebound.c b/usr.sbin/rebound/rebound.c index b8495ff73a3..2f9eee919c0 100644 --- a/usr.sbin/rebound/rebound.c +++ b/usr.sbin/rebound/rebound.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rebound.c,v 1.5 2015/10/15 20:58:14 tedu Exp $ */ +/* $OpenBSD: rebound.c,v 1.6 2015/10/15 21:20:09 tedu Exp $ */ /* * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> * @@ -316,7 +316,10 @@ launch(const char *confname, int ud, int ld, int kq) return child; } - pwd = getpwnam("nobody"); + if (!(pwd = getpwnam("_rebound"))) { + logmsg(LOG_DAEMON | LOG_ERR, "getpwnam failed"); + exit(1); + } if (chroot("/var/empty") || chdir("/")) { logmsg(LOG_DAEMON | LOG_ERR, "chroot failed (%d)", errno); @@ -324,7 +327,12 @@ launch(const char *confname, int ud, int ld, int kq) } setproctitle("worker"); - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + if (setgroups(1, &pwd->pw_gid) || + setresgid(pwd->pw_gid, pwd->pw_gid, pwd->pw_gid) || + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid)) { + logmsg(LOG_DAEMON | LOG_ERR, "failed to privdrop"); + exit(1); + } close(kq); |