From 1f5e1a9c1fd57b6ab4dfdfa49ec133b60e8bfbce Mon Sep 17 00:00:00 2001 From: MadMaurice Date: Tue, 12 Jan 2021 19:50:07 +0100 Subject: [PATCH] Drop root privileges earlier We don't need the root privileges after we unshare and the first fork. Therefor we can drop those for safety reasons. --- main.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/main.c b/main.c index 674e657..12097e8 100644 --- a/main.c +++ b/main.c @@ -9,6 +9,22 @@ #include #include +void drop_root(void) { + // Drop root privileges + if (seteuid(getuid()) == -1) + { + int err = errno; + printf("Failed to drop root privileges with seteuid (%d)\n", err); + exit(err); + } + + if (setegid(getgid()) == -1) + { + int err = errno; + printf("Failed to drop root privileges with setegid (%d)\n", err); + exit(err); + } +} char** argdup(int argc, const char** argv) { @@ -46,6 +62,9 @@ int main(int argc, const char** argv) return err; } + // Drop root privileges, we only needed those for the unshare call and fork above. + drop_root(); + if (pid != 0) { // parent waits for child then exits @@ -94,21 +113,6 @@ int main(int argc, const char** argv) // First child of init process. do exec here // use cli arguments for subprocess. skip 0 as it's our programs name. - // Drop root privileges - if (seteuid(getuid()) == -1) - { - int err = errno; - printf("Failed to drop root privileges with seteuid (%d)\n", err); - return err; - } - - if (setegid(getgid()) == -1) - { - int err = errno; - printf("Failed to drop root privileges with setegid (%d)\n", err); - return err; - } - char** newargs = argdup(argc-1, &argv[1]); if (execvp(newargs[0], newargs) == -1)