From 71d23bb262bd3fdb93c60dd62bc8f76d052ae4dc Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Sat, 9 Jan 2021 17:46:30 +0100
Subject: [PATCH] passwd: Drop privileges after opening files for writing

Once we have /etc/passwd and /etc/shadow open for writing, there's no
need for passwd to continue running as root.

We can also drop a bunch of pledge promises, further tightening things.
---
 Userland/passwd.cpp | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/Userland/passwd.cpp b/Userland/passwd.cpp
index e131081d3e..5e9ed17e4b 100644
--- a/Userland/passwd.cpp
+++ b/Userland/passwd.cpp
@@ -39,7 +39,7 @@ int main(int argc, char** argv)
         return 1;
     }
 
-    if (pledge("stdio wpath rpath cpath tty", nullptr) < 0) {
+    if (pledge("stdio wpath rpath cpath tty id", nullptr) < 0) {
         perror("pledge");
         return 1;
     }
@@ -86,6 +86,27 @@ int main(int argc, char** argv)
         return 1;
     }
 
+    // Drop privileges after opening all the files through the Core::Account object.
+    auto gid = getgid();
+    if (setresgid(gid, gid, gid) < 0) {
+        perror("setresgid");
+        return 1;
+    }
+
+    auto uid = getuid();
+    if (setresuid(uid, uid, uid) < 0) {
+        perror("setresuid");
+        return 1;
+    }
+
+    // Make sure /etc/passwd is open and ready for reading, then we can drop a bunch of pledge promises.
+    setpwent();
+
+    if (pledge("stdio tty", nullptr) < 0) {
+        perror("pledge");
+        return 1;
+    }
+
     // target_account is the account we are changing the password of.
     auto target_account = account_or_error.value();