sway

commit 93cf21fb9afd8205f01399ed2d8dcbe16b522fa4
parent f736198c315bb91bfa7faff095181a3e8e89df94
Author: Mykyta Holubakha <hilobakho@gmail.com>
Date:   Wed, 10 May 2017 02:51:28 +0300

Terminate when both suid bit and filecaps are set

Diffstat:
M
sway/main.c
 | 
23
+++++++++++++++++++++++

1 file changed, 23 insertions(+), 0 deletions(-)
diff --git a/sway/main.c b/sway/main.c
@@ -27,6 +27,7 @@
 #include "stringop.h"
 #include "sway.h"
 #include "log.h"
+#include "util.h"
 
 static bool terminate_request = false;
 static int exit_value = 0;
@@ -209,6 +210,27 @@ static void security_sanity_check() {
 #endif
 }
 
+static void executable_sanity_check() {
+#ifdef __linux__
+		struct stat sb;
+		char *exe = realpath("/proc/self/exe", NULL);
+		stat(exe, &sb);
+		// We assume that cap_get_file returning NULL implies ENODATA
+		if (sb.st_mode & (S_ISUID|S_ISGID) && cap_get_file(exe)) {
+			sway_log(L_ERROR,
+				"sway executable has both the s(g)uid bit AND file caps set.");
+			sway_log(L_ERROR,
+				"This is strongly discouraged (and completely broken).");
+			sway_log(L_ERROR,
+				"Please clear one of them (either the suid bit, or the file caps).");
+			sway_log(L_ERROR,
+				"If unsure, strip the file caps.");
+			exit(EXIT_FAILURE);
+		}
+		free(exe);
+#endif
+}
+
 int main(int argc, char **argv) {
 	static int verbose = 0, debug = 0, validate = 0;
 
@@ -326,6 +348,7 @@ int main(int argc, char **argv) {
 		return 0;
 	}
 
+	executable_sanity_check();
 #ifdef __linux__
 	bool suid = false;
 	if (getuid() != geteuid() || getgid() != getegid()) {