pjht/swaylock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #14 from swaywm/shadow-fortify-drop-root

Browse Source 
Make sure we can't restore root after setuid
This commit is contained in:
Drew DeVault 2019-01-16 19:05:41 -05:00 committed by GitHub
commit 5303a5f300
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
shadow.c
View File

@ -21,7 +21,7 @@ static void clear_buffer(void *buf, size_t bytes) {
} }
} }
void run_child(void) { static void run_child(void) {
/* This code runs as root */ /* This code runs as root */
struct passwd *pwent = getpwuid(getuid()); struct passwd *pwent = getpwuid(getuid());
if (!pwent) { if (!pwent) {
@ -46,6 +46,9 @@ void run_child(void) {
if (setuid(getuid()) != 0) { if (setuid(getuid()) != 0) {
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
if (setuid(0) != -1) {
exit(EXIT_FAILURE);
}
/* This code does not run as root */ /* This code does not run as root */
swaylock_log(LOG_DEBUG, "prepared to authorize user %s", pwent->pw_name); swaylock_log(LOG_DEBUG, "prepared to authorize user %s", pwent->pw_name);
@ -127,6 +130,11 @@ void initialize_pw_backend(void) {
swaylock_log_errno(LOG_ERROR, "Unable to drop root"); swaylock_log_errno(LOG_ERROR, "Unable to drop root");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
if (setuid(0) != -1) {
swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
"able to restore it after setuid)");
return false;
}
} }
bool attempt_password(struct swaylock_password *pw) { bool attempt_password(struct swaylock_password *pw) {