diff options
| author | Kamil Rytarowski <krytarowski@users.noreply.github.com> | 2019-01-14 09:53:58 +0100 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2019-01-14 09:53:58 +0100 |
| commit | ecb717ca8912ded98c3c621e9aa0847245173ad4 (patch) | |
| tree | 08b44e0a03047907746bf1228f56cc74ccc46f4c /executor | |
| parent | 95485883f6451cd21e4f7643c32fad0b66bb134d (diff) | |
executor: adapt switching to user nobody to be more portable on BSDs
NetBSD uses different uid/gid than FreeBSD/OpenBSD for the user
nobody. Instead of hardcoding the values, retrieve it from the
password entry database.
While there, switch to setuid(2) and setgid(2) calls as they are
good enough and portable. setresgid(2) and setresuid(2) aren't
available on NetBSD.
Diffstat (limited to 'executor')
| -rw-r--r-- | executor/common_bsd.h | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/executor/common_bsd.h b/executor/common_bsd.h index 652f3c660..40c9d14fb 100644 --- a/executor/common_bsd.h +++ b/executor/common_bsd.h @@ -5,6 +5,7 @@ #include <unistd.h> +#include <pwd.h> #include <stdarg.h> #include <stdbool.h> #include <string.h> @@ -347,13 +348,17 @@ static int do_sandbox_setuid(void) initialize_tun(procid); #endif - const int nobody = 65534; + char pwbuf[1024]; + struct passwd *pw, pwres; + if (getpwnam_r("nobody", &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || !pw) + fail("getpwnam_r(\"nobody\") failed"); + if (setgroups(0, NULL)) fail("failed to setgroups"); - if (setresgid(nobody, nobody, nobody)) - fail("failed to setresgid"); - if (setresuid(nobody, nobody, nobody)) - fail("failed to setresuid"); + if (setgid(pw->pw_gid)) + fail("failed to setgid"); + if (setuid(pw->pw_uid)) + fail("failed to setuid"); loop(); doexit(1); |