Fix chroot(2) call in control process.

Use /var/empty as chroot directory.  Call chroot(2) before setresuid(2).
Do the error check correctly.  Call chdir(2) after chroot(2).

from spiros thanasoulas; with florian@ tb@; OK millert@

diff --git a/usr.sbin/lpd/control.c b/usr.sbin/lpd/control.c
index 1904327..fb6e0fa 100644 (file)
--- a/usr.sbin/lpd/control.c
+++ b/usr.sbin/lpd/control.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: control.c,v 1.2 2022/12/28 21:30:17 jmc Exp $ */
+/*     $OpenBSD: control.c,v 1.3 2024/03/22 19:14:28 bluhm Exp $       */
 
 /*
  * Copyright (c) 2017 Eric Faurot <eric@openbsd.org>
@@ -25,6 +25,7 @@
 #include <errno.h>
 #include <event.h>
 #include <imsg.h>
+#include <paths.h>
 #include <pwd.h>
 #include <signal.h>
 #include <stdlib.h>
@@ -71,14 +72,16 @@ control(int debug, int verbose)
        if ((pw = getpwnam(LPD_USER)) == NULL)
                fatalx("unknown user " LPD_USER);
 
+       if (chroot(_PATH_VAREMPTY) == -1)
+               fatal("%s: chroot", __func__);
+       if (chdir("/") == -1)
+               fatal("%s: chdir", __func__);
+
        if (setgroups(1, &pw->pw_gid) ||
            setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
            setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
                fatal("cannot drop privileges");
 
-       if (chroot(pw->pw_dir) == 1)
-               fatal("%s: chroot", __func__);
-
        if (pledge("stdio unix recvfd sendfd", NULL) == -1)
                fatal("%s: pledge", __func__);