svn commit: r337415 - head/sbin/dhclient

Mark Johnston markj at FreeBSD.org
Tue Aug 7 13:50:22 UTC 2018 

Author: markj
Date: Tue Aug  7 13:50:21 2018
New Revision: 337415
URL: https://svnweb.freebsd.org/changeset/base/337415

Log:
  dhclient: Enter capability mode before dropping privileges.
  
  This is needed to be able to chroot in the fallback case where
  Capsicum is not available.
  
  Reported by:	Daniel Braniss <danny at cs.huji.ac.il>
  X-MFC with:	r337382
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sbin/dhclient/dhclient.c

Modified: head/sbin/dhclient/dhclient.c
==============================================================================
--- head/sbin/dhclient/dhclient.c	Tue Aug  7 13:46:06 2018	(r337414)
+++ head/sbin/dhclient/dhclient.c	Tue Aug  7 13:50:21 2018	(r337415)
@@ -529,23 +529,21 @@ main(int argc, char *argv[])
 	if (cap_rights_limit(routefd, &rights) < 0 && errno != ENOSYS)
 		error("can't limit route socket: %m");
 
-	if (setgroups(1, &pw->pw_gid) ||
-	    setegid(pw->pw_gid) || setgid(pw->pw_gid) ||
-	    seteuid(pw->pw_uid) || setuid(pw->pw_uid))
-		error("can't drop privileges: %m");
-
 	endpwent();
 
 	setproctitle("%s", ifi->name);
 
+	/* setgroups(2) is not permitted in capability mode. */
+	if (setgroups(1, &pw->pw_gid) != 0)
+		error("can't restrict groups: %m");
+
 	if (caph_enter_casper() < 0)
 		error("can't enter capability mode: %m");
 
 	/*
-	 * If we are not in capability mode (i.e., because Capsicum or
-	 * libcasper is disabled), try to restrict filesystem access.  This
-	 * will fail if kern.chroot_allow_open_directories is 0 or the process
-	 * is jailed.
+	 * If we are not in capability mode (i.e., Capsicum or libcasper is
+	 * disabled), try to restrict filesystem access.  This will fail if
+	 * kern.chroot_allow_open_directories is 0 or the process is jailed.
 	 */
 	if (cap_getmode(&capmode) < 0 || capmode == 0) {
 		if (chroot(_PATH_VAREMPTY) == -1)
@@ -553,6 +551,10 @@ main(int argc, char *argv[])
 		if (chdir("/") == -1)
 			error("chdir(\"/\")");
 	}
+
+	if (setegid(pw->pw_gid) || setgid(pw->pw_gid) ||
+	    seteuid(pw->pw_uid) || setuid(pw->pw_uid))
+		error("can't drop privileges: %m");
 
 	if (immediate_daemon)
 		go_daemon();

More information about the svn-src-all mailing list