From 5bf28901a44e36476900b3671958c1a27cef0ba0 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Wed, 8 Oct 2025 18:22:24 +0900 Subject: [PATCH] cmd/hsu: check against setgid bit The getgroups behaviour is already checked for, but it never hurts to be more careful in a setuid program. Signed-off-by: Ophestra --- cmd/hsu/main.go | 3 +++ dist/install.sh | 2 +- nixos.nix | 2 -- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/cmd/hsu/main.go b/cmd/hsu/main.go index 1f6ca7b..27b97b5 100644 --- a/cmd/hsu/main.go +++ b/cmd/hsu/main.go @@ -34,6 +34,9 @@ func main() { if os.Geteuid() != 0 { log.Fatal("this program must be owned by uid 0 and have the setuid bit set") } + if os.Getegid() != os.Getgid() { + log.Fatal("this program must not have the setgid bit set") + } puid := os.Getuid() if puid == 0 { diff --git a/dist/install.sh b/dist/install.sh index ef2e13d..b347eaa 100755 --- a/dist/install.sh +++ b/dist/install.sh @@ -4,7 +4,7 @@ cd "$(dirname -- "$0")" || exit 1 install -vDm0755 "bin/hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hakurei" install -vDm0755 "bin/hpkg" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hpkg" -install -vDm6511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu" +install -vDm4511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu" if [ ! -f "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" ]; then install -vDm0400 "hsurc.default" "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" fi diff --git a/nixos.nix b/nixos.nix index 6dd5180..8135690 100644 --- a/nixos.nix +++ b/nixos.nix @@ -51,11 +51,9 @@ in ]; security.wrappers.hsu = { - source = "${cfg.hsuPackage}/bin/hsu"; setuid = true; owner = "root"; - setgid = true; group = "root"; };