nfqws,tpws: use initgroups() if --user specified

2025-08-10 01:02:03 +03:00 · 2025-06-11 20:15:43 +03:00
parent f3d48b7160
commit f09d918b40
11 changed files with 125 additions and 97 deletions
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@@ -297,7 +297,7 @@ static int nfq_main(void)
 		return 1;
 	}

-	if (params.droproot && !droproot(params.uid, params.gid, params.gid_count) || !dropcaps())
+	if (params.droproot && !droproot(params.uid, params.user, params.gid, params.gid_count) || !dropcaps())
 		goto err;
 	print_id();
 	if (params.droproot && !test_list_files())
@@ -439,7 +439,7 @@ static int dvt_main(void)
 		goto exiterr;


-	if (params.droproot && !droproot(params.uid, params.gid, params.gid_count))
+	if (params.droproot && !droproot(params.uid, params.user, params.gid, params.gid_count))
 		goto exiterr;
 	print_id();
 	if (params.droproot && !test_list_files())
@@ -661,34 +661,9 @@ static int win_main(const char *windivert_filter)



-#if !defined( __OpenBSD__) && !defined(__ANDROID__)
-static void cleanup_args()
-{
-	wordfree(&params.wexp);
-}
-#endif
-
-static void cleanup_params(void)
-{
-#if !defined( __OpenBSD__) && !defined(__ANDROID__)
-	cleanup_args();
-#endif
-
-	ConntrackPoolDestroy(&params.conntrack);
-
-	dp_list_destroy(&params.desync_profiles);
-
-	hostlist_files_destroy(&params.hostlists);
-	ipset_files_destroy(&params.ipsets);
-	ipcacheDestroy(&params.ipcache);
-#ifdef __CYGWIN__
-	strlist_destroy(&params.ssid_filter);
-	strlist_destroy(&params.nlm_filter);
-#endif
-}
 static void exit_clean(int code)
 {
-	cleanup_params();
+	cleanup_params(&params);
 	exit(code);
 }

@@ -1667,7 +1642,7 @@ static void exithelp(void)
 }
 static void exithelp_clean(void)
 {
-	cleanup_params();
+	cleanup_params(&params);
 	exithelp();
 }

@@ -2163,6 +2138,7 @@ int main(int argc, char **argv)
 #ifndef __CYGWIN__
 		case IDX_USER:
 		{
+			free(params.user); params.user=NULL;
 			struct passwd *pwd = getpwnam(optarg);
 			if (!pwd)
 			{
@@ -2170,27 +2146,18 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			params.uid = pwd->pw_uid;
-			params.gid_count=MAX_GIDS;
-#ifdef __APPLE__
-			// silence warning
-			if (getgrouplist(optarg,pwd->pw_gid,(int*)params.gid,&params.gid_count)<0)
-#else
-			if (getgrouplist(optarg,pwd->pw_gid,params.gid,&params.gid_count)<0)
-#endif
+			params.gid[0]=pwd->pw_gid;
+			params.gid_count=1;
+			if (!(params.user=strdup(optarg)))
 			{
-				DLOG_ERR("getgrouplist failed. too much groups ?\n");
+				DLOG_ERR("strdup: out of memory\n");
 				exit_clean(1);
 			}
-			if (!params.gid_count)
-			{
-				params.gid[0] = pwd->pw_gid;
-				params.gid_count = 1;
-			}
 			params.droproot = true;
 			break;
 		}
 		case IDX_UID:
-			params.droproot = true;
+			free(params.user); params.user=NULL;
 			if (!parse_uid(optarg,&params.uid,params.gid,&params.gid_count,MAX_GIDS))
 			{
 				DLOG_ERR("--uid should be : uid[:gid,gid,...]\n");
@@ -2201,6 +2168,7 @@ int main(int argc, char **argv)
 				params.gid[0] = 0x7FFFFFFF;
 				params.gid_count = 1;
 			}
+			params.droproot = true;
 			break;
 #endif
 		case IDX_WSIZE:
@@ -2999,7 +2967,7 @@ int main(int argc, char **argv)

 	// do not need args from file anymore
 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
-	cleanup_args();
+	cleanup_args(&params);
 #endif
 	argv=NULL; argc=0;
 	
@@ -3142,7 +3110,7 @@ int main(int argc, char **argv)
 #ifndef __CYGWIN__
 		if (params.droproot)
 		{
-			if (!droproot(params.uid,params.gid,params.gid_count))
+			if (!droproot(params.uid,params.user,params.gid,params.gid_count))
 				exit_clean(1);
 #ifdef __linux__
 			if (!dropcaps())
@@ -3177,7 +3145,7 @@ int main(int argc, char **argv)
 #endif
 ex:
 	rawsend_cleanup();
-	cleanup_params();
+	cleanup_params(&params);
 #ifdef __CYGWIN__
 	if (hMutexArg)
 	{