From a179160d41424813a2cf07ab554180804ae14fdf Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sun, 2 Jan 2022 01:23:27 +0100
Subject: Fix leaking auth ports

We need to be extremely careful with auth ports since leaking them into
subprocesses may expose a root-auth port to non-root processes.

Notably, get_nonsugid_ids was caching it, thus preventing glibc's exec
implementation from dropping it. Login is also reimplementing hurdexec
but without all the cloexec logic.

This commit fixes various auth leaks.
---
 utils/nonsugid.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'utils/nonsugid.c')

diff --git a/utils/nonsugid.c b/utils/nonsugid.c
index 71cd3d71..15b1f777 100644
--- a/utils/nonsugid.c
+++ b/utils/nonsugid.c
@@ -32,15 +32,14 @@ get_nonsugid_ids (struct idvec *uids, struct idvec *gids)
   if (uids->num == 0 && gids->num == 0)
     {
       error_t err = 0;
-      static auth_t auth = MACH_PORT_NULL;
+      auth_t auth;
       struct idvec *p_eff_uids = make_idvec ();
       struct idvec *p_eff_gids = make_idvec ();
 
       if (!p_eff_uids || !p_eff_gids)
 	err = ENOMEM;
 
-      if (auth == MACH_PORT_NULL)
-	auth = getauth ();
+      auth = getauth ();
 
       if (! err)
 	err = idvec_merge_auth (p_eff_uids, uids, p_eff_gids, gids, auth);
@@ -55,6 +54,7 @@ get_nonsugid_ids (struct idvec *uids, struct idvec *gids)
 	  if (! err)
 	    err = idvec_merge (gids, p_eff_gids);
 	}
+      mach_port_deallocate (mach_task_self (), auth);
 
       return err;
     }
-- 
cgit v1.2.3