From: tedu <tedu@openbsd.org>
Date: Thu, 15 Oct 2015 21:20:09 +0000 (+0000)
Subject: now with _rebound user, we can try a little harder at privdrop
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=cb039d928463a98b6ab76a071ce5dfe8cc20b156;p=openbsd

now with _rebound user, we can try a little harder at privdrop
---

diff --git a/usr.sbin/rebound/rebound.c b/usr.sbin/rebound/rebound.c
index b8495ff73a3..2f9eee919c0 100644
--- a/usr.sbin/rebound/rebound.c
+++ b/usr.sbin/rebound/rebound.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rebound.c,v 1.5 2015/10/15 20:58:14 tedu Exp $ */
+/* $OpenBSD: rebound.c,v 1.6 2015/10/15 21:20:09 tedu Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -316,7 +316,10 @@ launch(const char *confname, int ud, int ld, int kq)
 			return child;
 	}
 
-	pwd = getpwnam("nobody");
+	if (!(pwd = getpwnam("_rebound"))) {
+		logmsg(LOG_DAEMON | LOG_ERR, "getpwnam failed");
+		exit(1);
+	}
 
 	if (chroot("/var/empty") || chdir("/")) {
 		logmsg(LOG_DAEMON | LOG_ERR, "chroot failed (%d)", errno);
@@ -324,7 +327,12 @@ launch(const char *confname, int ud, int ld, int kq)
 	}
 
 	setproctitle("worker");
-	setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+	if (setgroups(1, &pwd->pw_gid) ||
+	    setresgid(pwd->pw_gid, pwd->pw_gid, pwd->pw_gid) ||
+	    setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid)) {
+		logmsg(LOG_DAEMON | LOG_ERR, "failed to privdrop");
+		exit(1);
+	}
 
 	close(kq);