Use _apt as our unprivileged user name

[apt.git] / apt-pkg / contrib / fileutl.cc

diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc
index 6b8f04dea1519f5206f6385f551dc92cf0764d81..8e7313e8fcca69d3557d2b1cfc975a976cfc05af 100644 (file)
--- a/apt-pkg/contrib/fileutl.cc
+++ b/apt-pkg/contrib/fileutl.cc
@@ -48,6 +48,7 @@
 #include <errno.h>
 #include <glob.h>
 #include <pwd.h>
 #include <errno.h>
 #include <glob.h>
 #include <pwd.h>

+#include <grp.h>

 
 #include <set>
 #include <algorithm>
 
 #include <set>
 #include <algorithm>


@@ -64,6 +65,10 @@
 #include <endian.h>
 #include <stdint.h>
 
 #include <endian.h>
 #include <stdint.h>
 

+#if __gnu_linux__
+#include <sys/prctl.h>
+#endif
+

 #include <apti18n.h>
                                                                        /*}}}*/
 
 #include <apti18n.h>
                                                                        /*}}}*/
 


@@ -2170,17 +2175,68 @@ bool Popen(const char* Args[], FileFd &Fd, pid_t &Child, FileFd::OpenMode Mode)
 
 bool DropPrivs()
 {
 
 bool DropPrivs()
 {

-   if (getuid() != 0)
+   /* uid will be 0 in the end, but gid might be different anyway */
+   uid_t old_uid = getuid();
+   gid_t old_gid = getgid();
+
+   if (old_uid != 0)
+      return true;
+   if(_config->FindB("Debug::NoDropPrivs", false) == true)

       return true;
 
       return true;
 

-   const std::string nobody = _config->Find("APT::User::Nobody", "nobody");
+   const std::string nobody = _config->Find("APT::User::Nobody", "_apt");

    struct passwd *pw = getpwnam(nobody.c_str());
    if (pw == NULL)
       return _error->Warning("No user %s, can not drop rights", nobody.c_str());
    struct passwd *pw = getpwnam(nobody.c_str());
    if (pw == NULL)
       return _error->Warning("No user %s, can not drop rights", nobody.c_str());

+
+#if __gnu_linux__
+   // see prctl(2), needs linux3.5
+   int ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0,0, 0);
+   if(ret < 0)
+      _error->Warning("PR_SET_NO_NEW_PRIVS failed with %i", ret);
+#endif
+
+   if (setgroups(1, &pw->pw_gid) != 1)
+      return _error->Errno("setgroups", "Failed to setgroups");
+
+   if (setegid(pw->pw_gid) != 0)
+      return _error->Errno("setegid", "Failed to setegid");
+

    if (setgid(pw->pw_gid) != 0)
       return _error->Errno("setgid", "Failed to setgid");
    if (setgid(pw->pw_gid) != 0)
       return _error->Errno("setgid", "Failed to setgid");

+

    if (setuid(pw->pw_uid) != 0)
       return _error->Errno("setuid", "Failed to setuid");
    if (setuid(pw->pw_uid) != 0)
       return _error->Errno("setuid", "Failed to setuid");

-
+   // the seteuid() is probably uneeded (at least thats what the linux
+   // man-page says about setuid(2)) but we cargo culted it anyway
+
+
+   if (seteuid(pw->pw_uid) != 0)
+      return _error->Errno("seteuid", "Failed to seteuid");
+
+   /* Try changing GID/EGID */
+   if (pw->pw_gid != old_gid && (setgid(old_gid) != -1 || setegid(old_gid) != -1))
+      return _error->Error("Could restore a gid to root, privilege dropping did not work");
+
+   if (pw->pw_uid != old_uid && (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+      return _error->Error("Could restore a uid to root, privilege dropping did not work");
+
+   /* Verify the list of supplementary groups is what we expected */
+   gid_t groups[1];
+   if (getgroups(1, groups) != 1)
+      return _error->Errno("getgroups", "Could not get new groups");
+   if (groups[0] != pw->pw_gid)
+      return _error->Error("Could not switch group");
+   /* Verify gid, egid, uid, and euid */
+   if (getgid() != pw->pw_gid)
+      return _error->Error("Could not switch group");
+   if (getegid() != pw->pw_gid)
+      return _error->Error("Could not switch effective group");
+   if (getuid() != pw->pw_uid)
+      return _error->Error("Could not switch user");
+   if (geteuid() != pw->pw_uid)
+      return _error->Error("Could not switch effective user");
+
+   /* TODO: Check saved uid/saved gid as well */

    return true;
 }
    return true;
 }