On ven., 2011-08-26 at 10:58 +0200, Yves-Alexis Perez wrote: > > However I didnt dig deep enough into it to write an exploit as I dont have > > a working lightdm setup. The correct behavior is to temporarily drop > > euid/fsuid > > to that of the user if doing anything with his files. > > Yeah, I'm currently cooking patches doing that, though they'll need > review before apply.
Would something like: diff --git a/src/dmrc.c b/src/dmrc.c index bff1da8..9f38faf 100644 --- a/src/dmrc.c +++ b/src/dmrc.c @@ -80,11 +80,25 @@ dmrc_save (GKeyFile *dmrc_file, const gchar *username) /* Update the users .dmrc */ if (user) { + /* write the file as the user itself */ + pid_t pid; + pid = fork(); + + if (pid == 0) + { + if (setuid (user_get_uid(user)) < 0) + { + g_warning("Error changing uid for %s: %s", username, g_strerror(errno)); + _exit(EXIT_FAILURE); + } path = g_build_filename (user_get_home_directory (user), ".dmrc", NULL); g_file_set_contents (path, data, length, NULL); - if (getuid () == 0 && chown (path, user_get_uid (user), user_get_gid (user)) < 0) - g_warning ("Error setting ownership on %s: %s", path, strerror (errno)); g_free (path); + _exit(EXIT_SUCCESS); + + } + if (pid > 0) + wait(NULL); } /* Update the .dmrc cache */ do the job (untested, it's more like a RFC right now). Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part