diff options
Diffstat (limited to 'sway/main.c')
-rw-r--r-- | sway/main.c | 44 |
1 files changed, 13 insertions, 31 deletions
diff --git a/sway/main.c b/sway/main.c index a0033c45..a46e5231 100644 --- a/sway/main.c +++ b/sway/main.c | |||
@@ -150,27 +150,17 @@ static void log_kernel(void) { | |||
150 | pclose(f); | 150 | pclose(f); |
151 | } | 151 | } |
152 | 152 | ||
153 | 153 | static bool detect_suid(void) { | |
154 | static bool drop_permissions(void) { | 154 | if (geteuid() != 0 && getegid() != 0) { |
155 | if (getuid() != geteuid() || getgid() != getegid()) { | 155 | return false; |
156 | sway_log(SWAY_ERROR, "!!! DEPRECATION WARNING: " | ||
157 | "SUID privilege drop will be removed in a future release, please migrate to seatd-launch"); | ||
158 | |||
159 | // Set the gid and uid in the correct order. | ||
160 | if (setgid(getgid()) != 0) { | ||
161 | sway_log(SWAY_ERROR, "Unable to drop root group, refusing to start"); | ||
162 | return false; | ||
163 | } | ||
164 | if (setuid(getuid()) != 0) { | ||
165 | sway_log(SWAY_ERROR, "Unable to drop root user, refusing to start"); | ||
166 | return false; | ||
167 | } | ||
168 | } | 156 | } |
169 | if (setgid(0) != -1 || setuid(0) != -1) { | 157 | |
170 | sway_log(SWAY_ERROR, "Unable to drop root (we shouldn't be able to " | 158 | if (getuid() == geteuid() && getgid() == getegid()) { |
171 | "restore it after setuid), refusing to start"); | ||
172 | return false; | 159 | return false; |
173 | } | 160 | } |
161 | |||
162 | sway_log(SWAY_ERROR, "SUID operation is no longer supported, refusing to start. " | ||
163 | "This check will be removed in a future release."); | ||
174 | return true; | 164 | return true; |
175 | } | 165 | } |
176 | 166 | ||
@@ -319,6 +309,11 @@ int main(int argc, char **argv) { | |||
319 | } | 309 | } |
320 | } | 310 | } |
321 | 311 | ||
312 | // SUID operation is deprecated, so block it for now. | ||
313 | if (detect_suid()) { | ||
314 | exit(EXIT_FAILURE); | ||
315 | } | ||
316 | |||
322 | // Since wayland requires XDG_RUNTIME_DIR to be set, abort with just the | 317 | // Since wayland requires XDG_RUNTIME_DIR to be set, abort with just the |
323 | // clear error message (when not running as an IPC client). | 318 | // clear error message (when not running as an IPC client). |
324 | if (!getenv("XDG_RUNTIME_DIR") && optind == argc) { | 319 | if (!getenv("XDG_RUNTIME_DIR") && optind == argc) { |
@@ -357,9 +352,6 @@ int main(int argc, char **argv) { | |||
357 | "`sway -d 2>sway.log`."); | 352 | "`sway -d 2>sway.log`."); |
358 | exit(EXIT_FAILURE); | 353 | exit(EXIT_FAILURE); |
359 | } | 354 | } |
360 | if (!drop_permissions()) { | ||
361 | exit(EXIT_FAILURE); | ||
362 | } | ||
363 | char *socket_path = getenv("SWAYSOCK"); | 355 | char *socket_path = getenv("SWAYSOCK"); |
364 | if (!socket_path) { | 356 | if (!socket_path) { |
365 | sway_log(SWAY_ERROR, "Unable to retrieve socket path"); | 357 | sway_log(SWAY_ERROR, "Unable to retrieve socket path"); |
@@ -372,16 +364,6 @@ int main(int argc, char **argv) { | |||
372 | } | 364 | } |
373 | 365 | ||
374 | detect_proprietary(allow_unsupported_gpu); | 366 | detect_proprietary(allow_unsupported_gpu); |
375 | |||
376 | if (!server_privileged_prepare(&server)) { | ||
377 | return 1; | ||
378 | } | ||
379 | |||
380 | if (!drop_permissions()) { | ||
381 | server_fini(&server); | ||
382 | exit(EXIT_FAILURE); | ||
383 | } | ||
384 | |||
385 | increase_nofile_limit(); | 367 | increase_nofile_limit(); |
386 | 368 | ||
387 | // handle SIGTERM signals | 369 | // handle SIGTERM signals |