From ecb717ca8912ded98c3c621e9aa0847245173ad4 Mon Sep 17 00:00:00 2001
From: Kamil Rytarowski <krytarowski@users.noreply.github.com>
Date: Mon, 14 Jan 2019 09:53:58 +0100
Subject: executor: adapt switching to user nobody to be more portable on BSDs

NetBSD uses different uid/gid than FreeBSD/OpenBSD for the user
nobody. Instead of hardcoding the values, retrieve it from the
password entry database.

While there, switch to setuid(2) and setgid(2) calls as they are
good enough and portable. setresgid(2) and setresuid(2) aren't
available on NetBSD.
---
 executor/common_bsd.h | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'executor/common_bsd.h')

diff --git a/executor/common_bsd.h b/executor/common_bsd.h
index 652f3c660..40c9d14fb 100644
--- a/executor/common_bsd.h
+++ b/executor/common_bsd.h
@@ -5,6 +5,7 @@
 
 #include <unistd.h>
 
+#include <pwd.h>
 #include <stdarg.h>
 #include <stdbool.h>
 #include <string.h>
@@ -347,13 +348,17 @@ static int do_sandbox_setuid(void)
 	initialize_tun(procid);
 #endif
 
-	const int nobody = 65534;
+	char pwbuf[1024];
+	struct passwd *pw, pwres;
+	if (getpwnam_r("nobody", &pwres, pwbuf, sizeof(pwbuf), &pw) != 0 || !pw)
+		fail("getpwnam_r(\"nobody\") failed");
+
 	if (setgroups(0, NULL))
 		fail("failed to setgroups");
-	if (setresgid(nobody, nobody, nobody))
-		fail("failed to setresgid");
-	if (setresuid(nobody, nobody, nobody))
-		fail("failed to setresuid");
+	if (setgid(pw->pw_gid))
+		fail("failed to setgid");
+	if (setuid(pw->pw_uid))
+		fail("failed to setuid");
 
 	loop();
 	doexit(1);
-- 
cgit mrf-deployment