From 6556019a6dc8f79dd5c235817cf95b98139b4eb4 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Sun, 6 Sep 2020 13:53:08 +0100
Subject: [PATCH] privsep: dump leases in a sandbox

---
 src/dhcpcd.c  | 8 ++++++++
 src/privsep.c | 5 +++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/dhcpcd.c b/src/dhcpcd.c
index efbd672b..ba0c905a 100644
--- a/src/dhcpcd.c
+++ b/src/dhcpcd.c
@@ -2198,6 +2198,14 @@ printpidfile:
 			ctx.control_fd = control_open(NULL, AF_UNSPEC,
 			    ctx.options & DHCPCD_DUMPLEASE);
 		if (ctx.control_fd != -1) {
+#ifdef PRIVSEP
+			ctx.options &= ~DHCPCD_FORKED;
+			if (IN_PRIVSEP(&ctx) && ps_mastersandbox(&ctx) == -1) {
+				ctx.options |= DHCPCD_FORKED;
+				goto exit_failure;
+			}
+			ctx.options |= DHCPCD_FORKED;
+#endif
 			if (!(ctx.options & DHCPCD_DUMPLEASE))
 				loginfox("sending commands to dhcpcd process");
 			len = control_send(&ctx, argc, argv);
diff --git a/src/privsep.c b/src/privsep.c
index 5a10d26a..3f1dc2d6 100644
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -124,9 +124,10 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
 	if (chdir("/") == -1)
 		logerr("%s: chdir `/'", __func__);
 
-	if (setgroups(1, &pw->pw_gid) == -1 ||
+	if ((setgroups(1, &pw->pw_gid) == -1 ||
 	     setgid(pw->pw_gid) == -1 ||
-	     setuid(pw->pw_uid) == -1)
+	     setuid(pw->pw_uid) == -1) &&
+	     (errno != EPERM || ctx->options & DHCPCD_FORKED))
 	{
 		logerr("failed to drop privileges");
 		return -1;
-- 
2.47.2