Drop supplementary groups (if any) as well

Fixes #133
roehling · Jan 6, 2023 · 9c14cb1 · 9c14cb1
1 parent e3c4e9c
commit 9c14cb1
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -126,6 +126,7 @@ list(APPEND CMAKE_REQUIRED_DEFINITIONS "-D_GNU_SOURCE")
 check_include_file(alloca.h HAVE_ALLOCA_H)
 check_include_file(errno.h HAVE_ERRNO_H)
 check_include_file(fcntl.h HAVE_FCNTL_H)
+check_include_file(grp.h HAVE_GRP_H)
 check_include_file(netdb.h HAVE_NETDB_H)
 check_include_file(poll.h HAVE_POLL_H)
 check_include_file(pwd.h HAVE_PWD_H)

diff --git a/src/main.c b/src/main.c
@@ -53,6 +53,9 @@
 #ifdef HAVE_UNISTD_H
 #    include <unistd.h>
 #endif
+#ifdef HAVE_GRP_H
+#    include <grp.h>
+#endif
 
 static volatile sig_atomic_t timeout = 0;
 
@@ -100,6 +103,13 @@ static bool drop_privileges(cfg_t* cfg)
     }
     if (target_uid != 0 || target_gid != 0)
     {
+#ifdef HAVE_GRP_H
+        if (setgroups(0, NULL) < 0)
+        {
+            log_perror(errno, "cannot drop privileges: setgroups");
+            return false;
+        }
+#endif
         if (setgid(target_gid) < 0)
         {
             log_perror(errno, "cannot drop privileges: setgid");

diff --git a/src/postsrsd_build_config.h.in b/src/postsrsd_build_config.h.in
@@ -40,6 +40,7 @@
 #cmakedefine HAVE_ALLOCA_H 1
 #cmakedefine HAVE_ERRNO_H 1
 #cmakedefine HAVE_FCNTL_H 1
+#cmakedefine HAVE_GRP_H 1
 #cmakedefine HAVE_NETDB_H 1
 #cmakedefine HAVE_POLL_H 1
 #cmakedefine HAVE_PWD_H 1