|
|
- From 555e4346d4a441e2385b91c3188edbe9b093cfd5 Mon Sep 17 00:00:00 2001
- From: Brent Cook <busterb@gmail.com>
- Date: Thu, 1 Jan 2015 13:26:29 -0600
- Subject: [PATCH 06/16] do not allow privsep user to be a privileged user
-
- This may need to be a function call for different platforms with
- different capability / privilege mechanisms.
- ---
- src/usr.sbin/ntpd/ntp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
- diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
- index 26701c8..a24f305 100644
- --- a/src/usr.sbin/ntpd/ntp.c
- +++ b/src/usr.sbin/ntpd/ntp.c
- @@ -147,6 +147,12 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
- conf = nconf;
- setup_listeners(se, conf, &listener_cnt);
-
- + if (pw->pw_uid == 0 || pw->pw_gid == 0)
- + fatal("privsep user cannot be root");
- +
- + if (pw->pw_uid == geteuid() || pw->pw_gid == getegid())
- + fatal("privsep user cannot be the privileged user");
- +
- if (setgroups(1, &pw->pw_gid) ||
- setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
- setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
- --
- 1.9.1
-
|