From b453f70ca2016d8ab791968a3f2bc9ba2425bd2f Mon Sep 17 00:00:00 2001
From: Ophestra Umiker <cat@ophivana.moe>
Date: Tue, 17 Dec 2024 13:01:36 +0900
Subject: [PATCH] cmd/fsu: check uid range before syscall

This limits potential exploits to the fortify uid range.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
---
 cmd/fsu/main.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cmd/fsu/main.go b/cmd/fsu/main.go
index 1ec3a4b..d232818 100644
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@@ -123,6 +123,11 @@ func main() {
 		suppGroups = []int{uid}
 	}
 
+	// final bounds check to catch any bugs
+	if uid < 1000000 || uid >= 2000000 {
+		panic("uid out of bounds")
+	}
+
 	// careful! users in the allowlist is effectively allowed to drop groups via fsu
 
 	if err := syscall.Setresgid(uid, uid, uid); err != nil {