maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Don't do vfork in conjunction with setuid

Browse source
This commit is contained in:
Eelco Dolstra 2014-12-10 18:01:01 +01:00
parent 0e8fc118b3
commit 851b47bd7d
2 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/libstore/build.cc
View file

@ -1914,6 +1914,8 @@ void DerivationGoal::startBuilder()
builderOut.create(); builderOut.create();
/* Fork a child to build the package. */ /* Fork a child to build the package. */
ProcessOptions options;
options.allowVfork = !buildUser.enabled();
pid = startProcess([&]() { pid = startProcess([&]() {
runChild(); runChild();
}); });

3
src/libutil/util.cc
View file

@ -825,6 +825,9 @@ void killUser(uid_t uid)
users to which the current process can send signals. So we users to which the current process can send signals. So we
fork a process, switch to uid, and send a mass kill. */ fork a process, switch to uid, and send a mass kill. */
ProcessOptions options;
options.allowVfork = false;
Pid pid = startProcess([&]() { Pid pid = startProcess([&]() {
if (setuid(uid) == -1) if (setuid(uid) == -1)