From 1f5e1a9c1fd57b6ab4dfdfa49ec133b60e8bfbce Mon Sep 17 00:00:00 2001
From: MadMaurice <madmaurice@zom.bi>
Date: Tue, 12 Jan 2021 19:50:07 +0100
Subject: [PATCH] Drop root privileges earlier

We don't need the root privileges after we unshare and the first fork. Therefor
we can drop those for safety reasons.
---
 main.c | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/main.c b/main.c
index 674e657..12097e8 100644
--- a/main.c
+++ b/main.c
@@ -9,6 +9,22 @@
 #include <sys/wait.h>
 #include <unistd.h>
 
+void drop_root(void) {
+  // Drop root privileges
+  if (seteuid(getuid()) == -1)
+    {
+      int err = errno;
+      printf("Failed to drop root privileges with seteuid (%d)\n", err);
+      exit(err);
+    }
+
+  if (setegid(getgid()) == -1)
+    {
+      int err = errno;
+      printf("Failed to drop root privileges with setegid (%d)\n", err);
+      exit(err);
+    }
+}
 
 char** argdup(int argc, const char** argv)
 {
@@ -46,6 +62,9 @@ int main(int argc, const char** argv)
       return err;
     }
 
+  // Drop root privileges, we only needed those for the unshare call and fork above.
+  drop_root();
+
   if (pid != 0)
     {
       // parent waits for child then exits
@@ -94,21 +113,6 @@ int main(int argc, const char** argv)
           // First child of init process. do exec here
           // use cli arguments for subprocess. skip 0 as it's our programs name.
 
-          // Drop root privileges
-          if (seteuid(getuid()) == -1)
-            {
-              int err = errno;
-              printf("Failed to drop root privileges with seteuid (%d)\n", err);
-              return err;
-            }
-
-          if (setegid(getgid()) == -1)
-            {
-              int err = errno;
-              printf("Failed to drop root privileges with setegid (%d)\n", err);
-              return err;
-            }
-
           char** newargs = argdup(argc-1, &argv[1]);
 
           if (execvp(newargs[0], newargs) == -1)