libmisc: Use safer chroot/chdir sequence

OpenSSH and coreutils' chroot call chroot first and then chdir. Doing it this way is a bit safer because otherwise something could happen between chdir and chroot to the specified path (like exchange of links) so the working directory would not end up within the chroot environment. This is a purely defensive measure. Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2023-05-23 11:57:50 +00:00 · 2023-05-23 11:57:50 +00:00 · 6491fef1e0
commit 6491fef1e0
parent a116e20c76
2 changed files with 6 additions and 6 deletions
--- a/libmisc/root_flag.c
+++ b/libmisc/root_flag.c
@ -91,18 +91,18 @@ static void change_root (const char* newroot)
 		exit (E_BAD_ARG);
 	}

-	if (chdir (newroot) != 0) {
-		fprintf(log_get_logfd(),
-				_("%s: cannot chdir to chroot directory %s: %s\n"),
-				log_get_progname(), newroot, strerror (errno));
-		exit (E_BAD_ARG);
-	}
-
 	if (chroot (newroot) != 0) {
 		fprintf(log_get_logfd(),
 			        _("%s: unable to chroot to directory %s: %s\n"),
 				log_get_progname(), newroot, strerror (errno));
 		exit (E_BAD_ARG);
 	}
+
+	if (chdir ("/") != 0) {
+		fprintf(log_get_logfd(),
+			_("%s: cannot chdir in chroot directory %s: %s\n"),
+		        log_get_progname(), newroot, strerror (errno));
+		exit (E_BAD_ARG);
+	}
 }

--- a/libmisc/sub.c
+++ b/libmisc/sub.c
@ -57,8 +57,8 @@ void subsystem (const struct passwd *pw)
 	 * must be able to change into it.
 	 */

-	if (   (chdir (pw->pw_dir) != 0)
-	    || (chroot (pw->pw_dir) != 0)) {
+	if (   (chroot (pw->pw_dir) != 0)
+	    || (chdir ("/") != 0)) {
 		(void) printf (_("Can't change root directory to '%s'\n"),
 		               pw->pw_dir);
 		SYSLOG ((LOG_WARN, NO_SUBROOT2, pw->pw_dir, pw->pw_name));