diff options
| author |   tedu <tedu@openbsd.org> | 2015-10-15 21:20:09 +0000 |
|---|---|---|
| committer | tedu <tedu@openbsd.org> | 2015-10-15 21:20:09 +0000 |
| commit | cb039d928463a98b6ab76a071ce5dfe8cc20b156 (patch) | |
| tree | eeb2dc95652199877823b3ca237b23458df6f7e7 | |
| parent | _rebound user and group (52) (diff) | |
| download | wireguard-openbsd-cb039d928463a98b6ab76a071ce5dfe8cc20b156.tar.xz wireguard-openbsd-cb039d928463a98b6ab76a071ce5dfe8cc20b156.zip | |
now with _rebound user, we can try a little harder at privdrop
| -rw-r--r-- | usr.sbin/rebound/rebound.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/usr.sbin/rebound/rebound.c b/usr.sbin/rebound/rebound.c index b8495ff73a3..2f9eee919c0 100644 --- a/usr.sbin/rebound/rebound.c +++ b/usr.sbin/rebound/rebound.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rebound.c,v 1.5 2015/10/15 20:58:14 tedu Exp $ */ +/* $OpenBSD: rebound.c,v 1.6 2015/10/15 21:20:09 tedu Exp $ */ /* * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> * @@ -316,7 +316,10 @@ launch(const char *confname, int ud, int ld, int kq) return child; } - pwd = getpwnam("nobody"); + if (!(pwd = getpwnam("_rebound"))) { + logmsg(LOG_DAEMON | LOG_ERR, "getpwnam failed"); + exit(1); + } if (chroot("/var/empty") || chdir("/")) { logmsg(LOG_DAEMON | LOG_ERR, "chroot failed (%d)", errno); @@ -324,7 +327,12 @@ launch(const char *confname, int ud, int ld, int kq) } setproctitle("worker"); - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + if (setgroups(1, &pwd->pw_gid) || + setresgid(pwd->pw_gid, pwd->pw_gid, pwd->pw_gid) || + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid)) { + logmsg(LOG_DAEMON | LOG_ERR, "failed to privdrop"); + exit(1); + } close(kq); |