From 3ce4f1f7e5e8b77a8e9862fe3adf1fdae24e7825 Mon Sep 17 00:00:00 2001
From: bie <bie@blekksprut.net>
Date: Thu, 10 Nov 2016 18:01:49 +0100
Subject: capabilities, libcap, party hard

---
 Makefile   |  2 +-
 godzilla.c | 12 ++++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 15311e6..71c7548 100644
--- a/Makefile
+++ b/Makefile
@@ -14,5 +14,5 @@ config.h:
 	cp config.def.h $@
 
 godzilla: config.h godzilla.c
-	${CC} ${CFLAGS} -o godzilla godzilla.c -lcrypt
+	${CC} ${CFLAGS} -o godzilla godzilla.c -lcrypt -lcap
 
diff --git a/godzilla.c b/godzilla.c
index 002ed96..0c512ea 100644
--- a/godzilla.c
+++ b/godzilla.c
@@ -9,6 +9,8 @@
 #include <unistd.h>
 #include <pwd.h>
 #include <grp.h>
+#include <sys/capability.h>
+#include <sys/prctl.h>
 #include <sys/types.h>
 
 #include "config.h"
@@ -79,10 +81,16 @@ int main(int argc, char **argv) {
   result = crypt(passw, s->sp_pwdp);
   if(!strcmp(result, s->sp_pwdp)) {
     struct passwd *user = getpwnam(login);
+    cap_value_t cap_values[] = { CAP_SETUID, CAP_SETGID };
+    cap_t caps;
+    caps = cap_get_proc();
+    cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_values, CAP_SET);
+    cap_set_proc(caps);
+    prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+    cap_free(caps);
     setgid(user->pw_gid);
-    setuid(user->pw_uid);
-    seteuid(user->pw_uid);
     initgroups(login, user->pw_gid);
+    setuid(user->pw_uid);
     setenv("REMOTE_USER", login, 1);
     unsetenv("HTTP_AUTHORIZATION");
     return execve(script, argv, environ);
-- 
cgit v1.0