X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/ce1f3a2c616b86da657c1c796efa5f4d18c30c39..d5e7aa2a60076bf9924d4a62ad19a04951f4759a:/apt-pkg/contrib/fileutl.cc?ds=sidebyside diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index e52c8f219..f754b313e 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -2090,7 +2090,7 @@ bool FileFd::FileFdError(const char *Description,...) { } /*}}}*/ -APT_DEPRECATED gzFile FileFd::gzFd() { +gzFile FileFd::gzFd() { #ifdef HAVE_ZLIB return d->gz; #else @@ -2280,7 +2280,7 @@ bool DropPrivileges() /*{{{*/ // empty setting disables privilege dropping - this also ensures // backward compatibility, see bug #764506 const std::string toUser = _config->Find("APT::Sandbox::User"); - if (toUser.empty()) + if (toUser.empty() || toUser == "root") return true; // uid will be 0 in the end, but gid might be different anyway @@ -2322,12 +2322,17 @@ bool DropPrivileges() /*{{{*/ return _error->Errno("seteuid", "Failed to seteuid"); #endif - // Verify that the user has only a single group, and the correct one - gid_t groups[1]; - if (getgroups(1, groups) != 1) - return _error->Errno("getgroups", "Could not get new groups"); - if (groups[0] != pw->pw_gid) - return _error->Error("Could not switch group"); + // Verify that the user isn't still in any supplementary groups + long const ngroups_max = sysconf(_SC_NGROUPS_MAX); + std::unique_ptr gidlist(new gid_t[ngroups_max]); + if (unlikely(gidlist == NULL)) + return _error->Error("Allocation of a list of size %lu for getgroups failed", ngroups_max); + ssize_t gidlist_nr; + if ((gidlist_nr = getgroups(ngroups_max, gidlist.get())) < 0) + return _error->Errno("getgroups", "Could not get new groups (%lu)", ngroups_max); + for (ssize_t i = 0; i < gidlist_nr; ++i) + if (gidlist[i] != pw->pw_gid) + return _error->Error("Could not switch group, user %s is still in group %d", toUser.c_str(), gidlist[i]); // Verify that gid, egid, uid, and euid changed if (getgid() != pw->pw_gid)