cmd/fsu: check uid range before syscall

This limits potential exploits to the fortify uid range. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-12-17 13:01:36 +09:00 · 2024-12-17 13:01:36 +09:00 · b453f70ca2
commit b453f70ca2
parent c2b178e626
1 changed files with 5 additions and 0 deletions
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@ -123,6 +123,11 @@ func main() {
 		suppGroups = []int{uid}
 	}

+	// final bounds check to catch any bugs
+	if uid < 1000000 || uid >= 2000000 {
+		panic("uid out of bounds")
+	}
+
 	// careful! users in the allowlist is effectively allowed to drop groups via fsu

 	if err := syscall.Setresgid(uid, uid, uid); err != nil {