conf, passt, tap: Open socket and PID files before switching UID/GID

Otherwise, if the user runs us as root, and gives us paths that are only accessible by root, we'll fail to open them, which might in turn encourage users to change permissions or ownerships: definitely a bad idea in terms of security. Reported-by: Minxi Hou <mhou@redhat.com> Reported-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Acked-by: Richard W.M. Jones <rjones@redhat.com>
2025-05-24 18:15:36 +02:00 · 2024-05-22 20:18:19 +02:00 · 2024-05-22 20:18:19 +02:00 · c9b2413465
commit c9b2413465
parent ba23b05545
5 changed files with 28 additions and 11 deletions
--- a/passt.c
+++ b/passt.c
@ -199,9 +199,9 @@ void exit_handler(int signal)
 */
 int main(int argc, char **argv)
 {
-	int nfds, i, devnull_fd = -1, pidfile_fd;
 	struct epoll_event events[EPOLL_EVENTS];
 	char *log_name, argv0[PATH_MAX], *name;
+	int nfds, i, devnull_fd = -1;
 	struct ctx c = { 0 };
 	struct rlimit limit;
 	struct timespec now;
@ -211,7 +211,7 @@ int main(int argc, char **argv)

 	isolate_initial();

-	c.pasta_netns_fd = c.fd_tap = -1;
+	c.pasta_netns_fd = c.fd_tap = c.pidfile_fd = -1;

 	sigemptyset(&sa.sa_mask);
 	sa.sa_flags = 0;
@ -299,8 +299,6 @@ int main(int argc, char **argv)
 		}
 	}

-	pidfile_fd = pidfile_open(c.pid_file);
-
 	if (isolate_prefork(&c))
 		die("Failed to sandbox process, exiting");

@ -308,9 +306,9 @@ int main(int argc, char **argv)
 		__openlog(log_name, 0, LOG_DAEMON);

 	if (!c.foreground)
-		__daemon(pidfile_fd, devnull_fd);
+		__daemon(c.pidfile_fd, devnull_fd);
 	else
-		pidfile_write(pidfile_fd, getpid());
+		pidfile_write(c.pidfile_fd, getpid());

 	if (pasta_child_pid)
 		kill(pasta_child_pid, SIGUSR1);