|
 |
b8cfec9 |
Fail when dropping root privileges is not successful.
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
https://bugzilla.novell.com/show_bug.cgi?id=347822
|
|
|
b8cfec9 |
https://bugzilla.redhat.com/show_bug.cgi?id=425481
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
Lubomir Kundrak <lkundrak@redhat.com>
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
Index: src/daemon/main.c
|
|
|
b8cfec9 |
===================================================================
|
|
|
b8cfec9 |
--- src/daemon/main.c (revision 2098)
|
|
|
b8cfec9 |
+++ src/daemon/main.c (working copy)
|
|
|
b8cfec9 |
@@ -372,7 +372,8 @@
|
|
|
b8cfec9 |
pa_limit_caps();
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
/* Drop priviliges, but keep CAP_SYS_NICE */
|
|
|
b8cfec9 |
- pa_drop_root();
|
|
|
b8cfec9 |
+ if (pa_drop_root() < 0)
|
|
|
b8cfec9 |
+ goto finish;
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
/* After dropping root, the effective set is reset, hence,
|
|
|
b8cfec9 |
* let's raise it again */
|
|
|
b8cfec9 |
@@ -443,7 +444,8 @@
|
|
|
b8cfec9 |
* let's give it up early */
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
pa_drop_caps();
|
|
|
b8cfec9 |
- pa_drop_root();
|
|
|
b8cfec9 |
+ if (pa_drop_root() < 0)
|
|
|
b8cfec9 |
+ goto finish;
|
|
|
b8cfec9 |
suid_root = real_root = FALSE;
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
if (conf->high_priority || conf->realtime_scheduling)
|
|
|
b8cfec9 |
@@ -497,7 +499,8 @@
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
if (drop) {
|
|
|
b8cfec9 |
pa_drop_caps();
|
|
|
b8cfec9 |
- pa_drop_root();
|
|
|
b8cfec9 |
+ if (pa_drop_root() < 0)
|
|
|
b8cfec9 |
+ goto finish;
|
|
|
b8cfec9 |
suid_root = real_root = FALSE;
|
|
|
b8cfec9 |
}
|
|
|
b8cfec9 |
}
|
|
|
b8cfec9 |
Index: src/daemon/caps.c
|
|
|
b8cfec9 |
===================================================================
|
|
|
b8cfec9 |
--- src/daemon/caps.c (revision 2098)
|
|
|
b8cfec9 |
+++ src/daemon/caps.c (working copy)
|
|
|
b8cfec9 |
@@ -54,27 +54,36 @@
|
|
|
b8cfec9 |
#ifdef HAVE_GETUID
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
/* Drop root rights when called SUID root */
|
|
|
b8cfec9 |
-void pa_drop_root(void) {
|
|
|
b8cfec9 |
+int pa_drop_root(void) {
|
|
|
b8cfec9 |
uid_t uid = getuid();
|
|
|
b8cfec9 |
+ int error = 0;
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
if (uid == 0 || geteuid() != 0)
|
|
|
b8cfec9 |
- return;
|
|
|
b8cfec9 |
+ return 0;
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
pa_log_info("Dropping root priviliges.");
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
#if defined(HAVE_SETRESUID)
|
|
|
b8cfec9 |
- setresuid(uid, uid, uid);
|
|
|
b8cfec9 |
+ error += setresuid(uid, uid, uid);
|
|
|
b8cfec9 |
#elif defined(HAVE_SETREUID)
|
|
|
b8cfec9 |
- setreuid(uid, uid);
|
|
|
b8cfec9 |
+ error += setreuid(uid, uid);
|
|
|
b8cfec9 |
#else
|
|
|
b8cfec9 |
- setuid(uid);
|
|
|
b8cfec9 |
- seteuid(uid);
|
|
|
b8cfec9 |
+ error += setuid(uid);
|
|
|
b8cfec9 |
+ error += seteuid(uid);
|
|
|
b8cfec9 |
#endif
|
|
|
b8cfec9 |
+
|
|
|
b8cfec9 |
+ if (error != 0) {
|
|
|
b8cfec9 |
+ pa_log_error("Could not drop root priviliges.");
|
|
|
b8cfec9 |
+ return -1;
|
|
|
b8cfec9 |
+ }
|
|
|
b8cfec9 |
+
|
|
|
b8cfec9 |
+ return 0;
|
|
|
b8cfec9 |
}
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
#else
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
-void pa_drop_root(void) {
|
|
|
b8cfec9 |
+int pa_drop_root(void) {
|
|
|
b8cfec9 |
+ return 0;
|
|
|
b8cfec9 |
}
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
#endif
|
|
|
b8cfec9 |
@@ -142,8 +151,7 @@
|
|
|
b8cfec9 |
}
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
int pa_drop_caps(void) {
|
|
|
b8cfec9 |
- pa_drop_root();
|
|
|
b8cfec9 |
- return 0;
|
|
|
b8cfec9 |
+ return pa_drop_root();
|
|
|
b8cfec9 |
}
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
#endif
|
|
|
b8cfec9 |
Index: src/daemon/caps.h
|
|
|
b8cfec9 |
===================================================================
|
|
|
b8cfec9 |
--- src/daemon/caps.h (revision 2098)
|
|
|
b8cfec9 |
+++ src/daemon/caps.h (working copy)
|
|
|
b8cfec9 |
@@ -24,7 +24,7 @@
|
|
|
b8cfec9 |
USA.
|
|
|
b8cfec9 |
***/
|
|
|
b8cfec9 |
|
|
|
b8cfec9 |
-void pa_drop_root(void);
|
|
|
b8cfec9 |
+int pa_drop_root(void);
|
|
|
b8cfec9 |
int pa_limit_caps(void);
|
|
|
b8cfec9 |
int pa_drop_caps(void);
|
|
|
b8cfec9 |
|