From cb039d928463a98b6ab76a071ce5dfe8cc20b156 Mon Sep 17 00:00:00 2001
From: tedu <tedu@openbsd.org>
Date: Thu, 15 Oct 2015 21:20:09 +0000
Subject: [PATCH] now with _rebound user, we can try a little harder at
 privdrop

---
 usr.sbin/rebound/rebound.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/rebound/rebound.c b/usr.sbin/rebound/rebound.c
index b8495ff73a3..2f9eee919c0 100644
--- a/usr.sbin/rebound/rebound.c
+++ b/usr.sbin/rebound/rebound.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rebound.c,v 1.5 2015/10/15 20:58:14 tedu Exp $ */
+/* $OpenBSD: rebound.c,v 1.6 2015/10/15 21:20:09 tedu Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -316,7 +316,10 @@ launch(const char *confname, int ud, int ld, int kq)
 			return child;
 	}
 
-	pwd = getpwnam("nobody");
+	if (!(pwd = getpwnam("_rebound"))) {
+		logmsg(LOG_DAEMON | LOG_ERR, "getpwnam failed");
+		exit(1);
+	}
 
 	if (chroot("/var/empty") || chdir("/")) {
 		logmsg(LOG_DAEMON | LOG_ERR, "chroot failed (%d)", errno);
@@ -324,7 +327,12 @@ launch(const char *confname, int ud, int ld, int kq)
 	}
 
 	setproctitle("worker");
-	setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+	if (setgroups(1, &pwd->pw_gid) ||
+	    setresgid(pwd->pw_gid, pwd->pw_gid, pwd->pw_gid) ||
+	    setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid)) {
+		logmsg(LOG_DAEMON | LOG_ERR, "failed to privdrop");
+		exit(1);
+	}
 
 	close(kq);
 
-- 
2.20.1