process_prefix_flag: Drop privileges

Using --prefix in a setuid binary is quite dangerous. An unprivileged
user could prepare a custom shadow file in home directory. During a data
race the user could exchange directories with links which could lead to
exchange of shadow file in system's /etc directory.

This could be used for local privilege escalation.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>

diff --git a/libmisc/prefix_flag.c b/libmisc/prefix_flag.c
index 56243f2e1d6162626df8f727b0e46a36b8495f47..d7acb9ca352feac45347d48ce0cf50927e0aabf4 100644 (file)
--- a/libmisc/prefix_flag.c
+++ b/libmisc/prefix_flag.c
@@ -85,6 +85,15 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **
 
 
        if (prefix != NULL) {
+               /* Drop privileges */
+               if (   (setregid (getgid (), getgid ()) != 0)
+                   || (setreuid (getuid (), getuid ()) != 0)) {
+                       fprintf (log_get_logfd(),
+                                _("%s: failed to drop privileges (%s)\n"),
+                                log_get_progname(), strerror (errno));
+                       exit (EXIT_FAILURE);
+               }
+
                if ( prefix[0] == '\0' || !strcmp(prefix, "/"))
                        return ""; /* if prefix is "/" then we ignore the flag option */
                /* should we prevent symbolic link from being used as a prefix? */