From 5a142576e8a4716504b2b72e597f766fb2e0bb05 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max.kellermann@gmail.com>
Date: Sat, 10 May 2025 22:54:48 +0200
Subject: [PATCH] cups/globals: use getauxval(AT_SECURE) for SUID check

Comparing effective and real uid/gid is not a proper way to check for
SUID execution:

1. this does not consider file capabilities

2. this check breaks when NO_NEW_PRIVS is used as the Linux kernel
   resets effective ids during execve(); this means the check is
   false, but the process still has raised capabilities

For more details about the NO_NEW_PRIVS problem, check this post and
the surrounding thread:

 https://lore.kernel.org/lkml/20250509184105.840928-1-max.kellermann@ionos.com/

Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
---
 config-scripts/cups-common.m4 | 1 +
 config.h.in                   | 7 +++++++
 cups/globals.c                | 7 ++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/config-scripts/cups-common.m4 b/config-scripts/cups-common.m4
index 6cf3e31cb9..4fb05d98ee 100644
--- a/config-scripts/cups-common.m4
+++ b/config-scripts/cups-common.m4
@@ -132,6 +132,7 @@ dnl Checks for header files.
 AC_CHECK_HEADER([langinfo.h], AC_DEFINE([HAVE_LANGINFO_H], [1], [Have <langinfo.h> header?]))
 AC_CHECK_HEADER([malloc.h], AC_DEFINE([HAVE_MALLOC_H], [1], [Have <malloc.h> header?]))
 AC_CHECK_HEADER([stdint.h], AC_DEFINE([HAVE_STDINT_H], [1], [Have <stdint.h> header?]))
+AC_CHECK_HEADER([sys/auxv.h], AC_DEFINE([HAVE_SYS_AUXV_H], [1], [Have <sys/auxv.h> header?]))
 AC_CHECK_HEADER([sys/ioctl.h], AC_DEFINE([HAVE_SYS_IOCTL_H], [1], [Have <sys/ioctl.h> header?]))
 AC_CHECK_HEADER([sys/param.h], AC_DEFINE([HAVE_SYS_PARAM_H], [1], [Have <sys/param.h> header?]))
 AC_CHECK_HEADER([sys/ucred.h], AC_DEFINE([HAVE_SYS_UCRED_H], [1], [Have <sys/ucred.h> header?]))
diff --git a/config.h.in b/config.h.in
index f54f1efc91..ff0b324e21 100644
--- a/config.h.in
+++ b/config.h.in
@@ -295,6 +295,13 @@
 #undef HAVE_AVAHI
 
 
+/*
+ * Do we have <sys/auxv.h>?
+ */
+
+#undef HAVE_SYS_AUXV_H
+
+
 /*
  * Do we have <sys/ioctl.h>?
  */
diff --git a/cups/globals.c b/cups/globals.c
index 572603ea21..a5f46d2eee 100644
--- a/cups/globals.c
+++ b/cups/globals.c
@@ -13,6 +13,9 @@
 #include "debug-internal.h"
 #ifndef _WIN32
 #  include <pwd.h>
+#  ifdef HAVE_SYS_AUXV_H
+#    include <sys/auxv.h> // for getauxval()
+#  endif
 #endif /* !_WIN32 */
 
 
@@ -294,7 +297,9 @@ cups_globals_alloc(void)
 		*xdg_config_home = getenv("XDG_CONFIG_HOME");
 					// Environment variables
 #  endif // !__APPLE__
-#  ifdef HAVE_GETEUID
+#  if defined(HAVE_SYS_AUXV_H) && defined(AT_SECURE)
+  if (getauxval(AT_SECURE))
+#  elif defined(HAVE_GETEUID)
   if ((geteuid() != getuid() && getuid()) || getegid() != getgid())
 #  else
   if (!getuid())
-- 
2.47.2