summaryrefslogtreecommitdiff
path: root/src/tipideed/harden.c
blob: 5c925f2975f43a2deef4532e2f8f7473cfac2a39 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
/* ISC license. */

#include <skalibs/sysdeps.h>
#include <skalibs/nonposix.h>

#include <unistd.h>
#include <errno.h>
#include <stdlib.h>

#include <skalibs/types.h>
#include <skalibs/strerr.h>

#include "tipideed-internal.h"

static inline void tipideed_chroot (void)
{
#ifdef SKALIBS_HASCHROOT
  if (chroot(".") == -1) strerr_diefu1sys(111, "chroot") ;
#else
  errno = ENOSYS ;
  strerr_warnwu1sys("chroot") ; 
#endif
}

static inline void tipideed_dropuidgid (void)
{
  uid_t uid = 0 ;
  gid_t gid = 0 ;
  char const *gidfmt = getenv("GID") ;
  char const *uidfmt = getenv("UID") ;
  if (!uidfmt) strerr_dienotset(100, "UID") ;
  if (!uid0_scan(uidfmt, &uid)) strerr_dieinvalid(100, "UID") ;
  if (!gidfmt) strerr_dienotset(100, "GID") ;
  if (!gid0_scan(gidfmt, &gid)) strerr_dieinvalid(100, "GID") ;
  if (gid)
  {
#ifdef SKALIBS_HASSETGROUPS
    if (setgroups(1, &gid) == -1) strerr_diefu2sys(111, "setgroups to ", gidfmt) ;
#endif
    if (setgid(gid) == -1) strerr_diefu2sys(111, "setgid to ", gidfmt) ;
  }
  if (uid)
    if (setuid(uid) == -1) strerr_diefu2sys(111, "setuid to ", uidfmt) ;
}

void tipideed_harden (unsigned int h)
{
  if (h & 2) tipideed_chroot() ;
  if (h & 1) tipideed_dropuidgid() ;
}