From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 15 Sep 2025 19:29:49 +0000 (-0400)
Subject: clear CAP_SUID and CAP_GUID as necessary.  Fixes #5647
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=40f184b3fae2a566eff57b44fddce273bcac4011;p=thirdparty%2Ffreeradius-server.git

clear CAP_SUID and CAP_GUID as necessary.  Fixes #5647
---

diff --git a/src/lib/server/main_config.c b/src/lib/server/main_config.c
index df29ef603a..5801922c7e 100644
--- a/src/lib/server/main_config.c
+++ b/src/lib/server/main_config.c
@@ -41,6 +41,7 @@ RCSID("$Id$")
 #include <freeradius-devel/util/hw.h>
 #include <freeradius-devel/util/perm.h>
 #include <freeradius-devel/util/sem.h>
+#include <freeradius-devel/util/cap.h>
 #include <freeradius-devel/util/pair_legacy.h>
 
 #include <freeradius-devel/unlang/xlat_func.h>
@@ -714,6 +715,13 @@ static int switch_users(main_config_t *config, CONF_SECTION *cs)
 				config->name, group->gr_name, fr_syserror(errno));
 			return -1;
 		}
+
+		if ((fr_cap_disable(CAP_SETGID, CAP_EFFECTIVE) < 0) ||
+		    (fr_cap_disable(CAP_SETGID, CAP_INHERITABLE) < 0) ||
+		    (fr_cap_disable(CAP_SETGID, CAP_PERMITTED) < 0)) {
+			fprintf(stderr, "Failed disabling CAP_SGID - %s", fr_syserror(errno));
+			return -1;
+		}
 	}
 #endif
 
diff --git a/src/lib/server/util.c b/src/lib/server/util.c
index 82a1aa7c13..5ea37206e7 100644
--- a/src/lib/server/util.c
+++ b/src/lib/server/util.c
@@ -27,6 +27,7 @@ RCSID("$Id$")
 #include <freeradius-devel/util/base16.h>
 #include <freeradius-devel/util/skip.h>
 #include <freeradius-devel/util/perm.h>
+#include <freeradius-devel/util/cap.h>
 
 
 #include <fcntl.h>
@@ -803,6 +804,16 @@ void rad_suid_down_permanent(void)
 		fr_exit_now(EXIT_FAILURE);
 	}
 
+	/*
+	 *	Shut down most of the interesting things which might get abused.
+	 */
+	if ((fr_cap_disable(CAP_SETUID, CAP_EFFECTIVE) < 0) ||
+	    (fr_cap_disable(CAP_SETUID, CAP_INHERITABLE) < 0) ||
+	    (fr_cap_disable(CAP_SETUID, CAP_PERMITTED) < 0)) {
+		ERROR("Failed disabling CAP_SUID");
+		fr_exit_now(EXIT_FAILURE);
+	}
+
 	fr_reset_dumpable();
 
 	suid_down_permanent = true;
diff --git a/src/lib/util/cap.h b/src/lib/util/cap.h
index f83d727dc8..9ccc7ebf62 100644
--- a/src/lib/util/cap.h
+++ b/src/lib/util/cap.h
@@ -41,6 +41,21 @@ int	fr_cap_enable(cap_value_t cap, cap_flag_t set);
 int	fr_cap_disable(cap_value_t cap, cap_flag_t set);
 
 ssize_t fr_cap_set_to_str(TALLOC_CTX *ctx, char **out);
+
+#else
+/*
+ *	So we don't have ifdef's throughout the rest of the code.
+ */
+#  define CAP_EFFECTIVE	 	(0)
+#  define CAP_INHERITABLE	(0)
+#  define CAP_PERMITTED		(0)
+
+#  define CAP_SETUID		(0)
+#  define CAP_SETGID		(0)
+#  define CAP_CHOWN		(0)
+
+#  define fr_cap_disable(_x, _y) (0)
+
 #endif
 
 #ifdef __cplusplus