Privilege dropping code may not be working

[theopolis]

It looks like the code to drop privileges may have been broken via commit 37f0e1f

That commit reverted the correct order from #911, which first drops the gid then the uid. If setuid is called first then the target user may not have the ability to setgid.

Additionally, this implementation should consider using initgroups as well (before dropping the uid) to drop supplemental groups from the source user and set the groups for the target user. If you do not drop supplemental groups the target user most likely retains privileges granted by those groups.

Heads up that I am raising this issue by performing a code review only. I have not run sway to verify the breakage.

[emersion]

Good catch. Reference: https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges

Would you be willing to submit a pull request to fix this?

Additionally, this implementation should consider using initgroups as well (before dropping the uid) to drop supplemental groups from the source user and set the groups for the target user. If you do not drop supplemental groups the target user most likely retains privileges granted by those groups.

This is not POSIX. We don't alter our supplementary group IDs before dropping root, so it shouldn't be necessary.

[theopolis]

This is not POSIX. We don't alter our supplementary group IDs before dropping root, so it shouldn't be necessary

Makes sense!

I will try to submit a PR this week! :)