From a179160d41424813a2cf07ab554180804ae14fdf Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sun, 2 Jan 2022 01:23:27 +0100
Subject: Fix leaking auth ports

We need to be extremely careful with auth ports since leaking them into
subprocesses may expose a root-auth port to non-root processes.

Notably, get_nonsugid_ids was caching it, thus preventing glibc's exec
implementation from dropping it. Login is also reimplementing hurdexec
but without all the cloexec logic.

This commit fixes various auth leaks.
---
 libshouldbeinlibc/nullauth.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'libshouldbeinlibc/nullauth.c')

diff --git a/libshouldbeinlibc/nullauth.c b/libshouldbeinlibc/nullauth.c
index 3a98e558..8a19b05c 100644
--- a/libshouldbeinlibc/nullauth.c
+++ b/libshouldbeinlibc/nullauth.c
@@ -29,14 +29,16 @@ setnullauth (void)
 {
   error_t err;
 
+  auth_t ourauth = getauth ();
   auth_t nullauth;
-  err = auth_makeauth (getauth (),
+  err = auth_makeauth (ourauth,
 		       NULL, MACH_MSG_TYPE_COPY_SEND, 0,
 		       NULL, 0,
 		       NULL, 0,
 		       NULL, 0,
 		       NULL, 0,
 		       &nullauth);
+  mach_port_deallocate (mach_task_self (), ourauth);
   if (err)
     return err;
 
-- 
cgit v1.2.3