madmaurice/pidjail
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Make dropped root privileges permanent

Browse source 
seteuid sets the effective uid but at the same time retains the old
effective uid as a so called saved uid, which allows the process to go
back to root at a later point in time. As we don't want that, we use
the function setresuid and setresgid instead, allowing to set the
real, effective and saved uid/gid. We keep the real uid/gid unchanged,
but set the effective and saved uid/gid to the value of the real uid.
This forbids us to not regain root priviliges.
This commit is contained in:
madmaurice 2021-01-15 20:22:22 +01:00
parent 5fe9ba36a2
commit 650a576c56
1 changed files with 5 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
main.c
View file

@ -13,15 +13,17 @@
pid_t pid_child; pid_t pid_child;
void drop_root(void) { void drop_root(void) {
uid_t uid = getuid();
// Drop root privileges // Drop root privileges
if (seteuid(getuid()) == -1) if (setresuid(-1,uid,uid) == -1)
{ {
int err = errno; int err = errno;
printf("Failed to drop root privileges with seteuid (%d)\n", err); printf("Failed to drop root privileges with setresuid (%d)\n", err);
exit(err); exit(err);
} }
if (setegid(getgid()) == -1) gid_t gid = getgid();
if (setresgid(-1,gid,gid) == -1)
{ {
int err = errno; int err = errno;
printf("Failed to drop root privileges with setegid (%d)\n", err); printf("Failed to drop root privileges with setegid (%d)\n", err);