update-ids-ruleset: Run as unprivileged user.

Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset
index 956c3a1f5d406f436fb6955643b66c608aae30c0..dbe5b6849c3da172c83f4c42c69057cd34151863 100644 (file)
--- a/src/scripts/update-ids-ruleset
+++ b/src/scripts/update-ids-ruleset
@@ -20,11 +20,25 @@
 ###############################################################################
 
 use strict;
+use POSIX;
 
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/ids-functions.pl";
 require "${General::swroot}/lang.pl";
 
+# The user and group name as which this script should be run.
+my $run_as = 'nobody';
+
+# Get user and group id of the user.
+my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
+
+# Check if the script currently runs as root.
+if ( $> == 0 ) {
+       # Drop privileges and switch to the specified user and group.
+       POSIX::setgid( $gid );
+       POSIX::setuid( $uid );
+}
+
 # Check if the red device is active.
 unless (-e "${General::swroot}/red/active") {
        # Store notice in the syslog.