include/c: add drop_permissions(), consolidate UID/GID reset

Fixes: https://github.com/karelzak/util-linux/issues/1354 Signed-off-by: Karel Zak <kzak@redhat.com>
2021-06-21 12:25:31 +02:00 · 2021-06-21 12:25:31 +02:00 · 17fc8693cd
parent 0272f2ef98
commit 17fc8693cd
11 changed files with 40 additions and 51 deletions
--- a/include/c.h
+++ b/include/c.h
@ -16,6 +16,8 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
+#include <sys/types.h>
+#include <grp.h>

 #include <assert.h>

@ -335,6 +337,28 @@ static inline size_t get_hostname_max(void)
 	return 64;
 }

+
+static inline int drop_permissions(void)
+{
+	errno = 0;
+
+	/* drop supplementary groups */
+	if (setgroups(0, NULL) != 0)
+		goto fail;
+
+	/* drop GID */
+	if (setgid(getgid()) < 0)
+		goto fail;
+
+	/* drop UID */
+	if (setuid(getuid()) < 0)
+		goto fail;
+
+	return 0;
+fail:
+	return errno ? -errno : -1;
+}
+
 /*
 * The usleep function was marked obsolete in POSIX.1-2001 and was removed
 * in POSIX.1-2008.  It was replaced with nanosleep() that provides more
--- a/lib/canonicalize.c
+++ b/lib/canonicalize.c
@ -170,8 +170,7 @@ char *canonicalize_path_restricted(const char *path)
 		pipes[0] = -1;
 		errno = 0;

-		/* drop permissions */
-		if (setgid(getgid()) < 0 || setuid(getuid()) < 0)
+		if (drop_permissions() != 0)
 			canonical = NULL;	/* failed */
 		else {
 			char *dmname = NULL;
--- a/libblkid/src/topology/dm.c
+++ b/libblkid/src/topology/dm.c
@ -73,10 +73,7 @@ static int probe_dm_tp(blkid_probe pr,
 		if (dmpipe[1] != STDOUT_FILENO)
 			dup2(dmpipe[1], STDOUT_FILENO);

-		/* The libblkid library could linked with setuid programs */
-		if (setgid(getgid()) < 0)
-			 exit(1);
-		if (setuid(getuid()) < 0)
+		if (drop_permissions() != 0)
 			 exit(1);

 		snprintf(maj, sizeof(maj), "%d", major(devno));
--- a/libblkid/src/topology/lvm.c
+++ b/libblkid/src/topology/lvm.c
@ -82,10 +82,7 @@ static int probe_lvm_tp(blkid_probe pr,
 		if (lvpipe[1] != STDOUT_FILENO)
 			dup2(lvpipe[1], STDOUT_FILENO);

-		/* The libblkid library could linked with setuid programs */
-		if (setgid(getgid()) < 0)
-			 exit(1);
-		if (setuid(getuid()) < 0)
+		if (drop_permissions() != 0)
 			 exit(1);

 		lvargv[0] = cmd;
--- a/libmount/src/context_mount.c
+++ b/libmount/src/context_mount.c
@ -645,10 +645,7 @@ static int exec_helper(struct libmnt_context *cxt)
 		const char *args[14], *type;
 		int i = 0;

-		if (setgid(getgid()) < 0)
-			_exit(EXIT_FAILURE);
-
-		if (setuid(getuid()) < 0)
+		if (drop_permissions() != 0)
 			_exit(EXIT_FAILURE);

 		if (!mnt_context_switch_origin_ns(cxt))
--- a/libmount/src/context_umount.c
+++ b/libmount/src/context_umount.c
@ -696,10 +696,7 @@ static int exec_helper(struct libmnt_context *cxt)
 		const char *args[12], *type;
 		int i = 0;

-		if (setgid(getgid()) < 0)
-			_exit(EXIT_FAILURE);
-
-		if (setuid(getuid()) < 0)
+		if (drop_permissions() != 0)
 			_exit(EXIT_FAILURE);

 		if (!mnt_context_switch_origin_ns(cxt))
--- a/sys-utils/eject.c
+++ b/sys-utils/eject.c
@ -658,12 +658,8 @@ static void umount_one(const struct eject_control *ctl, const char *name)

 	switch (fork()) {
 	case 0: /* child */
-		if (setgid(getgid()) < 0)
-			err(EXIT_FAILURE, _("cannot set group id"));
-
-		if (setuid(getuid()) < 0)
-			err(EXIT_FAILURE, _("cannot set user id"));
-
+		if (drop_permissions() != 0)
+			err(EXIT_FAILURE, _("drop permissions failed"));
 		if (ctl->p_option)
 			execl("/bin/umount", "/bin/umount", name, "-n", (char *)NULL);
 		else
--- a/sys-utils/mount.c
+++ b/sys-utils/mount.c
@ -54,13 +54,8 @@ static void suid_drop(struct libmnt_context *cxt)
 	const uid_t ruid = getuid();
 	const uid_t euid = geteuid();

-	if (ruid != 0 && euid == 0) {
-		if (setgid(getgid()) < 0)
-			err(MNT_EX_FAIL, _("setgid() failed"));
-
-		if (setuid(getuid()) < 0)
-			err(MNT_EX_FAIL, _("setuid() failed"));
-	}
+	if (ruid != 0 && euid == 0 && drop_permissions() != 0)
+		err(MNT_EX_FAIL, _("drop permissions failed"));

 	/* be paranoid and check it, setuid(0) has to fail */
 	if (ruid != 0 && setuid(0) == 0)
--- a/sys-utils/swapon.c
+++ b/sys-utils/swapon.c
@ -333,13 +333,8 @@ static int swap_reinitialize(struct swap_device *dev)
 		return -1;

 	case 0:	/* child */
-		if (geteuid() != getuid()) {
-			/* in case someone uses swapon as setuid binary */
-			if (setgid(getgid()) < 0)
-				exit(EXIT_FAILURE);
-			if (setuid(getuid()) < 0)
-				exit(EXIT_FAILURE);
-		}
+		if (geteuid() != getuid() && drop_permissions() != 0)
+			exit(EXIT_FAILURE);

 		cmd[idx++] = "mkswap";
 		if (dev->label) {
--- a/sys-utils/umount.c
+++ b/sys-utils/umount.c
@ -118,13 +118,8 @@ static void suid_drop(struct libmnt_context *cxt)
 	const uid_t ruid = getuid();
 	const uid_t euid = geteuid();

-	if (ruid != 0 && euid == 0) {
-		if (setgid(getgid()) < 0)
-			err(MNT_EX_FAIL, _("setgid() failed"));
-
-		if (setuid(getuid()) < 0)
-			err(MNT_EX_FAIL, _("setuid() failed"));
-	}
+	if (ruid != 0 && euid == 0 && drop_permissions() != 0)
+		err(MNT_EX_FAIL, _("drop permissions failed"));

 	/* be paranoid and check it, setuid(0) has to fail */
 	if (ruid != 0 && setuid(0) == 0)
--- a/text-utils/more.c
+++ b/text-utils/more.c
@ -1250,12 +1250,9 @@ static void __attribute__((__format__ (__printf__, 3, 4)))
 		}
 		va_end(argp);

-		if (geteuid() != getuid() || getegid() != getgid()) {
-			if (setgid(getgid()) < 0)
-				err(EXIT_FAILURE, _("setgid failed"));
-			if (setuid(getuid()) < 0)
-				err(EXIT_FAILURE, _("setuid failed"));
-		}
+		if ((geteuid() != getuid() || getegid() != getgid())
+		    && drop_permissions() != 0)
+			err(EXIT_FAILURE, _("drop permissions failed"));

 		execvp(cmd, args);
 		errsv = errno;