cmd/hsu: check against setgid bit

The getgroups behaviour is already checked for, but it never hurts to be more careful in a setuid program. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-10-08 18:22:24 +09:00 · 2025-10-08 18:22:24 +09:00 · 5bf28901a4
commit 5bf28901a4
parent 9b507715d4
3 changed files with 4 additions and 3 deletions
--- a/cmd/hsu/main.go
+++ b/cmd/hsu/main.go
@ -34,6 +34,9 @@ func main() {
 	if os.Geteuid() != 0 {
 		log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
 	}
 	if os.Getegid() != os.Getgid() {
 		log.Fatal("this program must not have the setgid bit set")
 	}
 	puid := os.Getuid()
 	if puid == 0 {
--- a/dist/install.sh
+++ b/dist/install.sh
@ -4,7 +4,7 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hakurei"
 install -vDm0755 "bin/hpkg" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hpkg"
-install -vDm6511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
+install -vDm4511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
 if [ ! -f "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" ]; then
    install -vDm0400 "hsurc.default" "${HAKUREI_INSTALL_PREFIX}/etc/hsurc"
 fi
--- a/nixos.nix
+++ b/nixos.nix
@ -51,11 +51,9 @@ in
    ];
    security.wrappers.hsu = {
      source = "${cfg.hsuPackage}/bin/hsu";
      setuid = true;
      owner = "root";
      setgid = true;
      group = "root";
    };