Merge pull request #3011 from matt335672/unpriv_user_fix

Fix permissions on user socket directory
neutrinolabs · Mar 22, 2024 · 8a2f427 · 8a2f427
2 parents 7fabef8 + 200e4d8
commit 8a2f427
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/sesman/scp_process.c b/sesman/scp_process.c
@@ -323,21 +323,31 @@ process_logout_request(struct pre_session_item *psi)
 static int
 create_xrdp_socket_path(uid_t uid)
 {
+    // Owner all permissions, group read+execute
+#define RWX_PERMS 0x750
+
     int rv = 1;
     const char *sockdir_group = g_cfg->sec.session_sockdir_group;
     int gid = 0; // Default if no group specified
 
     char sockdir[XRDP_SOCKETS_MAXPATH];
     g_snprintf(sockdir, sizeof(sockdir), XRDP_SOCKET_PATH, (int)uid);
 
-    // Create directory permissions 0x750, if it doesn't exist already.
-    int old_umask = g_umask_hex(0x750 ^ 0x777);
+    // Create directory permissions RWX_PERMS, if it doesn't exist already
+    // (our os_calls layer doesn't allow us to set the SGID bit here)
+    int old_umask = g_umask_hex(RWX_PERMS ^ 0x777);
     if (!g_directory_exist(sockdir) && !g_create_dir(sockdir))
     {
         LOG(LOG_LEVEL_ERROR,
             "create_xrdp_socket_path: Can't create %s [%s]",
             sockdir, g_get_strerror());
     }
+    else if (g_chmod_hex(sockdir, RWX_PERMS | 0x2000) != 0)
+    {
+        LOG(LOG_LEVEL_ERROR,
+            "create_xrdp_socket_path: Can't set SGID bit on %s [%s]",
+            sockdir, g_get_strerror());
+    }
     else if (sockdir_group != NULL && sockdir_group[0] != '\0' &&
              g_getgroup_info(sockdir_group, &gid) != 0)
     {
@@ -358,6 +368,7 @@ create_xrdp_socket_path(uid_t uid)
     (void)g_umask_hex(old_umask);
 
     return rv;
+#undef RWX_PERMS
 }
 
 /******************************************************************************/