From a179160d41424813a2cf07ab554180804ae14fdf Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sun, 2 Jan 2022 01:23:27 +0100
Subject: Fix leaking auth ports

We need to be extremely careful with auth ports since leaking them into
subprocesses may expose a root-auth port to non-root processes.

Notably, get_nonsugid_ids was caching it, thus preventing glibc's exec
implementation from dropping it. Login is also reimplementing hurdexec
but without all the cloexec logic.

This commit fixes various auth leaks.
---
 utils/shd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'utils/shd.c')

diff --git a/utils/shd.c b/utils/shd.c
index e978061c..d2075075 100644
--- a/utils/shd.c
+++ b/utils/shd.c
@@ -231,6 +231,7 @@ main (int argc, char *argv[])
 {
   char *linebuf = NULL;
   size_t linebufsize = 0;
+  auth_t ourauth;
 
   proc = getproc ();
   assert_backtrace (proc);
@@ -252,8 +253,10 @@ main (int argc, char *argv[])
 #endif
 
   /* Kludge to give boot a port to the auth server.  */
-  exec_init (getdport (0), getauth (),
+  ourauth = getauth ();
+  exec_init (getdport (0), ourauth,
 	     MACH_PORT_NULL, MACH_MSG_TYPE_COPY_SEND);
+  mach_port_deallocate (mach_task_self (), ourauth);
 
   if ((fcntl (0, F_GETFL) & O_READ) == 0)
     {
-- 
cgit v1.2.3