newgrp, sg: Open audit socket after check_fds

The check_fds function is supposed to ensure that fds 0, 1, and 2 are
opened in a well-defined state, i.e. either they are already connected
to supposed input/output files or will be connected to /dev/null if not.

Opening the audit socket before checking the fds allows the audit socket
to get one of these numbers.

Avoid this by opening the audit socket after the check.

In general, this check is already covered by system libraries, but this
proof of concept works for root user. Note the different states of the
file descriptor 2.

In bash or another shell that interprets `2>&-` as closing stderr with
shadow + audit support, e.g. Arch Linux:
```
sg bin 'ls -l /proc/self/fd'
sg bin 'ls -l /proc/self/fd' 2>/dev/null
sg bin 'ls -l /proc/self/fd' 2>&-
```

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/src/newgrp.c b/src/newgrp.c
index 77e57be509e239881f52e8d1ff59f413f98b326d..055da7d3003f3f5c9b1ab6a66993eb49516abd0c 100644 (file)
--- a/src/newgrp.c
+++ b/src/newgrp.c
@@ -387,10 +387,6 @@ int main (int argc, char **argv)
        struct sgrp *sgrp;
 #endif
 
-#ifdef WITH_AUDIT
-       audit_help_open ();
-#endif
-
        check_fds ();
 
        (void) setlocale (LC_ALL, "");
@@ -432,6 +428,9 @@ int main (int argc, char **argv)
        log_set_progname(Prog);
        log_set_logfd(stderr);
        OPENLOG (Prog);
+#ifdef WITH_AUDIT
+       audit_help_open ();
+#endif
        argc--;
        argv++;