DropPrivs: Also check for saved set-user-ID and set-group-ID

author: Julian Andres Klode <jak@debian.org> 2014-09-24 20:57:30 +0200
committer: Julian Andres Klode <jak@debian.org> 2014-09-24 20:57:30 +0200
commit: 550ab420d398f303ff8cbc51e1f4dab79f8cbdf2 (patch)
tree: 979e98c951b52c9b8a2bc148d874d36358f6f921 /apt-pkg
parent: 3b084f06b65ea073176b26fd9e472dc0f76b44b0 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc
index 98544b60c..05c2f2e00 100644
--- a/apt-pkg/contrib/fileutl.cc
+++ b/apt-pkg/contrib/fileutl.cc
@@ -2237,6 +2237,26 @@ bool DropPrivs()
    if (geteuid() != pw->pw_uid)
       return _error->Error("Could not switch effective user");
 
+#ifdef HAVE_GETRESUID
+   uid_t ruid = 0;
+   uid_t euid = 0;
+   uid_t suid = 0;
+   if (getresuid(&ruid, &euid, &suid))
+      return _error->Errno("getresuid", "Could not get saved set-user-ID");
+   if (suid != pw->pw_uid)
+      return _error->Error("Could not switch saved set-user-ID");
+#endif
+
+#ifdef HAVE_GETRESGID
+   gid_t rgid = 0;
+   gid_t egid = 0;
+   gid_t sgid = 0;
+   if (getresgid(&rgid, &egid, &sgid))
+      return _error->Errno("getresuid", "Could not get saved set-group-ID");
+   if (sgid != pw->pw_gid)
+      return _error->Error("Could not switch saved set-group-ID");
+#endif
+
    /* TODO: Check saved uid/saved gid as well */
    return true;
 }
author	Julian Andres Klode <jak@debian.org>	2014-09-24 20:57:30 +0200
committer	Julian Andres Klode <jak@debian.org>	2014-09-24 20:57:30 +0200
commit	550ab420d398f303ff8cbc51e1f4dab79f8cbdf2 (patch)
tree	979e98c951b52c9b8a2bc148d874d36358f6f921 /apt-pkg
parent	3b084f06b65ea073176b26fd9e472dc0f76b44b0 (diff)