Compare commits
No commits in common. "master" and "dev-old" have entirely different histories.
30
mm.py
30
mm.py
|
|
@ -277,18 +277,32 @@ class Modem:
|
|||
pw_record = pwd.getpwnam(RUN_AS)
|
||||
uid, gid = pw_record.pw_uid, pw_record.pw_gid
|
||||
def demote():
|
||||
PR_SET_NO_NEW_PRIVS = 38
|
||||
PR_SET_NO_NEW_PRIVS = 38
|
||||
PR_CAP_AMBIENT = 47
|
||||
PR_CAP_AMBIENT_CLEAR_ALL = 4
|
||||
PR_GET_SECUREBITS = 27
|
||||
PR_SET_SECUREBITS = 28
|
||||
libc = ctypes.CDLL('libc.so.6')
|
||||
libc.prctl.restype = ctypes.c_int
|
||||
assert libc.prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0
|
||||
assert libc.prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) == 0
|
||||
assert libc.prctl(PR_SET_SECUREBITS, 0x2f) == 0
|
||||
# SECBIT_KEEP_CAPS_LOCKED | SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED | SECBIT_NOROOT | SECBIT_NOROOT_LOCKED
|
||||
assert libc.prctl(PR_GET_SECUREBITS) == 0x2f
|
||||
libc = ctypes.CDLL('/usr/lib/libc.so.6')
|
||||
assert libc.prctl(
|
||||
ctypes.c_int(PR_SET_NO_NEW_PRIVS),
|
||||
ctypes.c_int(1),
|
||||
ctypes.c_int(0),
|
||||
ctypes.c_int(0),
|
||||
ctypes.c_int(0)
|
||||
) == 0
|
||||
assert libc.prctl(
|
||||
ctypes.c_int(PR_CAP_AMBIENT),
|
||||
ctypes.c_int(PR_CAP_AMBIENT_CLEAR_ALL),
|
||||
ctypes.c_int(0),
|
||||
ctypes.c_int(0),
|
||||
ctypes.c_int(0)
|
||||
) == 0
|
||||
libc.prctl(
|
||||
PR_SET_SECUREBITS,
|
||||
ctypes.c_int(0x2f) # SECBIT_KEEP_CAPS_LOCKED | SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED | SECBIT_NOROOT | SECBIT_NOROOT_LOCKED
|
||||
)
|
||||
assert libc.prctl(ctypes.c_int(PR_GET_SECUREBITS)) == 0x2f
|
||||
|
||||
os.setgroups([])
|
||||
os.setresgid(gid, gid, gid)
|
||||
os.setresuid(uid, uid, uid)
|
||||
|
|
|
|||
Loading…
Reference in a new issue