mirror
/
darkhttpd
mirror of https://github.com/emikulic/darkhttpd.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Call setgroups() before setgid() to drop supplementary groups. 

See also: https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
This commit is contained in:
Emil Mikulic 2015-01-01 22:22:41 +11:00
parent 03a22661a0
commit 49ad7a0421
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
darkhttpd.c
View File

@ -53,6 +53,7 @@ static const int debug = 1;
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <limits.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
@ -2538,6 +2539,10 @@ int main(int argc, char **argv) {
wwwroot[0] = '\0'; /* empty string */
}
if (drop_gid != INVALID_GID) {
gid_t list[1];
list[0] = drop_gid;
if (setgroups(1, list) == -1)
err(1, "setgroups([%d])", (int)drop_gid);
if (setgid(drop_gid) == -1)
err(1, "setgid(%d)", (int)drop_gid);
printf("set gid to %d\n", (int)drop_gid);