Merge remote-tracking branch 'origin/pr/468'

* origin/pr/468: qfile-unpacker should not be an easy root hole
QubesOS · Oct 26, 2023 · 7fa85ff · 7fa85ff
2 parents 572c5f1 + 25ce49c
commit 7fa85ff
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/qubes-rpc/gui-fatal.c b/qubes-rpc/gui-fatal.c
@@ -35,9 +35,12 @@ static void produce_message(const char *type, const char *fmt, va_list args)
         case -1:
             exit(1); // what else
         case 0:
-            if (geteuid() == 0)
-                if (setuid(getuid()) != 0)
-                    perror("setuid failed, calling kdialog/zenity as root");
+            if (geteuid() == 0) {
+                if (setuid(getuid()) != 0) {
+                    perror("setuid failed, not calling kdialog/zenity");
+                    exit(1);
+                }
+            }
             fix_display();
 #ifdef USE_KDIALOG
             execlp("/usr/bin/kdialog", "kdialog", "--sorry", dialog_msg, NULL);

diff --git a/qubes-rpc/qfile-unpacker.c b/qubes-rpc/qfile-unpacker.c
@@ -20,6 +20,9 @@
 char *prepare_creds_return_dir(int uid)
 {
     const struct passwd *pwd;
+    uid_t myuid = getuid();
+    if (myuid != 0 && myuid != (uid_t)uid)
+        gui_fatal("Refusing to change to UID other than the caller's UID");
     pwd = getpwuid(uid);
     if (!pwd) {
         perror("getpwuid");