tftpd: Drop supplementary groups for root

Before dropping our root privileges, we need to make sure that root does not belong to any other group. That's because setgid() will change the gid but it will leave the supplementary groups unchanged so we may still be able to do privilege operations. Use setgroups() before set{u,g}id to ensure that root does not have any unexpected priviledges. Link: https://www.securecoding.cert.org/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges Signed-off-by: Markos Chandras <mchandras@suse.de>
author: Markos Chandras <mchandras@suse.de> 2016-05-18 09:36:16 +0100
committer: Pavel Šimerda <pavlix@pavlix.net> 2016-08-23 12:24:16 +0200
commit: 911cb11a8108f35b732d3affd4df33eacb1429f5 (patch)
tree: c0c8cdf2604a619f50b3f45abb6dbdaface06596
parent: d141cb6e4ee3388f0508afa0f6368aaa1236778c (diff)
download: iputils-911cb11a8108f35b732d3affd4df33eacb1429f5.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/tftpd.c b/tftpd.c
index e2a6f14..16bb4b8 100644
--- a/tftpd.c
+++ b/tftpd.c
@@ -54,6 +54,7 @@
 #include <ctype.h>
 #include <string.h>
 #include <stdlib.h>
+#include <grp.h>
 
 #include "tftp.h"
 
@@ -101,6 +102,8 @@ int main(int ac, char **av)
 
 	/* Sanity. If parent forgot to setuid() on us. */
 	if (geteuid() == 0) {
+		/* Drop all supplementary groups. No error checking is needed */
+		setgroups(0, NULL);
 		if (setgid(65534) || setuid(65534)) {
 			syslog(LOG_ERR, "set*id failed: %m\n");
 			exit(1);
author	Markos Chandras <mchandras@suse.de>	2016-05-18 09:36:16 +0100
committer	Pavel Šimerda <pavlix@pavlix.net>	2016-08-23 12:24:16 +0200
commit	911cb11a8108f35b732d3affd4df33eacb1429f5 (patch)
tree	c0c8cdf2604a619f50b3f45abb6dbdaface06596
parent	d141cb6e4ee3388f0508afa0f6368aaa1236778c (diff)
download	iputils-911cb11a8108f35b732d3affd4df33eacb1429f5.tar.gz