Check if the script has been launched as privileged user (root) and drop all permissions by switching to the "nobody" user and group.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- src/scripts/update-ids-ruleset | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset index 956c3a1f5..dbe5b6849 100644 --- a/src/scripts/update-ids-ruleset +++ b/src/scripts/update-ids-ruleset @@ -20,11 +20,25 @@ ###############################################################################
use strict; +use POSIX;
require '/var/ipfire/general-functions.pl'; require "${General::swroot}/ids-functions.pl"; require "${General::swroot}/lang.pl";
+# The user and group name as which this script should be run. +my $run_as = 'nobody'; + +# Get user and group id of the user. +my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ]; + +# Check if the script currently runs as root. +if ( $> == 0 ) { + # Drop privileges and switch to the specified user and group. + POSIX::setgid( $gid ); + POSIX::setuid( $uid ); +} + # Check if the red device is active. unless (-e "${General::swroot}/red/active") { # Store notice in the syslog.