From c9b24134656925e53fea3cde0b33ab143dcd84af Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Wed, 22 May 2024 20:18:19 +0200 Subject: conf, passt, tap: Open socket and PID files before switching UID/GID Otherwise, if the user runs us as root, and gives us paths that are only accessible by root, we'll fail to open them, which might in turn encourage users to change permissions or ownerships: definitely a bad idea in terms of security. Reported-by: Minxi Hou Reported-by: Richard W.M. Jones Signed-off-by: Stefano Brivio Acked-by: Richard W.M. Jones --- conf.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'conf.c') diff --git a/conf.c b/conf.c index 2e0d909..f62a5eb 100644 --- a/conf.c +++ b/conf.c @@ -38,6 +38,7 @@ #include "ip.h" #include "passt.h" #include "netlink.h" +#include "tap.h" #include "udp.h" #include "tcp.h" #include "pasta.h" @@ -1093,7 +1094,7 @@ static void conf_ugid(char *runas, uid_t *uid, gid_t *gid) return; /* ...otherwise use nobody:nobody */ - warn("Started as root. Changing to nobody..."); + warn("Started as root, will change to nobody."); { #ifndef GLIBC_NO_STATIC_NSS const struct passwd *pw; @@ -1113,6 +1114,18 @@ static void conf_ugid(char *runas, uid_t *uid, gid_t *gid) } } +/** + * conf_open_files() - Open files as requested by configuration + * @c: Execution context + */ +static void conf_open_files(struct ctx *c) +{ + if (c->mode == MODE_PASST && c->fd_tap == -1) + c->fd_tap_listen = tap_sock_unix_open(c->sock_path); + + c->pidfile_fd = pidfile_open(c->pid_file); +} + /** * conf() - Process command-line arguments and set configuration * @c: Execution context @@ -1712,6 +1725,8 @@ void conf(struct ctx *c, int argc, char **argv) else if (optind != argc) die("Extra non-option argument: %s", argv[optind]); + conf_open_files(c); /* Before any possible setuid() / setgid() */ + isolate_user(uid, gid, !netns_only, userns, c->mode); if (c->pasta_conf_ns) -- cgit v1.2.3