From: Nick Porter <nick@portercomputing.co.uk>
Date: Wed, 17 Sep 2025 13:44:40 +0000 (+0100)
Subject: Don't drop capabilities too early
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a19159a192a970bbfdfd6a0aaa6e5c35fc6ce52;p=thirdparty%2Ffreeradius-server.git

Don't drop capabilities too early

Dropping CAP_SETGID too early can cause setresuid() to fail on some
platforms.

Seen when running `freeradius -XC` on Debian platforms.
---

diff --git a/src/lib/server/main_config.c b/src/lib/server/main_config.c
index 5801922c7eb..df29ef603a4 100644
--- a/src/lib/server/main_config.c
+++ b/src/lib/server/main_config.c
@@ -41,7 +41,6 @@ RCSID("$Id$")
 #include <freeradius-devel/util/hw.h>
 #include <freeradius-devel/util/perm.h>
 #include <freeradius-devel/util/sem.h>
-#include <freeradius-devel/util/cap.h>
 #include <freeradius-devel/util/pair_legacy.h>
 
 #include <freeradius-devel/unlang/xlat_func.h>
@@ -715,13 +714,6 @@ static int switch_users(main_config_t *config, CONF_SECTION *cs)
 				config->name, group->gr_name, fr_syserror(errno));
 			return -1;
 		}
-
-		if ((fr_cap_disable(CAP_SETGID, CAP_EFFECTIVE) < 0) ||
-		    (fr_cap_disable(CAP_SETGID, CAP_INHERITABLE) < 0) ||
-		    (fr_cap_disable(CAP_SETGID, CAP_PERMITTED) < 0)) {
-			fprintf(stderr, "Failed disabling CAP_SGID - %s", fr_syserror(errno));
-			return -1;
-		}
 	}
 #endif
 
diff --git a/src/lib/server/util.c b/src/lib/server/util.c
index 5ea37206e7c..e97d5039c30 100644
--- a/src/lib/server/util.c
+++ b/src/lib/server/util.c
@@ -814,6 +814,15 @@ void rad_suid_down_permanent(void)
 		fr_exit_now(EXIT_FAILURE);
 	}
 
+#ifdef HAVE_GRP_H
+	if ((fr_cap_disable(CAP_SETGID, CAP_EFFECTIVE) < 0) ||
+	    (fr_cap_disable(CAP_SETGID, CAP_INHERITABLE) < 0) ||
+	    (fr_cap_disable(CAP_SETGID, CAP_PERMITTED) < 0)) {
+		ERROR("Failed disabling CAP_SGID");
+		fr_exit_now(EXIT_FAILURE);
+	}
+#endif
+
 	fr_reset_dumpable();
 
 	suid_down_permanent = true;