libmisc: Use safer chroot/chdir sequence

OpenSSH and coreutils' chroot call chroot first and then chdir. Doing it
this way is a bit safer because otherwise something could happen between
chdir and chroot to the specified path (like exchange of links) so the
working directory would not end up within the chroot environment.

This is a purely defensive measure.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>

diff --git a/libmisc/root_flag.c b/libmisc/root_flag.c
index 62915b06994f9dfda2784fe35329050de9f06f7a..5572831a064a8cb5dc942aff3b4347cd31088031 100644 (file)
--- a/libmisc/root_flag.c
+++ b/libmisc/root_flag.c
@@ -91,16 +91,16 @@ static void change_root (const char* newroot)
                exit (E_BAD_ARG);
        }
 
-       if (chdir (newroot) != 0) {
+       if (chroot (newroot) != 0) {
                fprintf(log_get_logfd(),
-                               _("%s: cannot chdir to chroot directory %s: %s\n"),
+                               _("%s: unable to chroot to directory %s: %s\n"),
                                log_get_progname(), newroot, strerror (errno));
                exit (E_BAD_ARG);
        }
 
-       if (chroot (newroot) != 0) {
+       if (chdir ("/") != 0) {
                fprintf(log_get_logfd(),
-                       _("%s: unable to chroot to directory %s: %s\n"),
+                       _("%s: cannot chdir in chroot directory %s: %s\n"),
                        log_get_progname(), newroot, strerror (errno));
                exit (E_BAD_ARG);
        }

diff --git a/libmisc/sub.c b/libmisc/sub.c
index 821596d134b65f38544be856b947f86e57728a29..d8e24473a3d1d686a403d8a01f7a809f1e8d3dc2 100644 (file)
--- a/libmisc/sub.c
+++ b/libmisc/sub.c
@@ -57,8 +57,8 @@ void subsystem (const struct passwd *pw)
         * must be able to change into it.
         */
 
-       if (   (chdir (pw->pw_dir) != 0)
-           || (chroot (pw->pw_dir) != 0)) {
+       if (   (chroot (pw->pw_dir) != 0)
+           || (chdir ("/") != 0)) {
                (void) printf (_("Can't change root directory to '%s'\n"),
                               pw->pw_dir);
                SYSLOG ((LOG_WARN, NO_SUBROOT2, pw->pw_dir, pw->pw_name));