From 2e904e96d164a15d58836a3f740480be18d2040c Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Mon, 13 Apr 2020 14:05:19 -0700
Subject: [PATCH] Cage: drop gid before uid

If setuid is called first then the target user may not have the ability to
setgid.
---
 cage.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cage.c b/cage.c
index a1ba450..e4eb90f 100644
--- a/cage.c
+++ b/cage.c
@@ -146,13 +146,14 @@ static bool
 drop_permissions(void)
 {
 	if (getuid() != geteuid() || getgid() != getegid()) {
-		if (setuid(getuid()) != 0 || setgid(getgid()) != 0) {
+		// Set the gid and uid in the correct order.
+		if (setgid(getgid()) != 0 || setuid(getuid()) != 0) {
 			wlr_log(WLR_ERROR, "Unable to drop root, refusing to start");
 			return false;
 		}
 	}
 
-	if (setuid(0) != -1) {
+	if (setgid(0) != -1 || setuid(0) != -1) {
 		wlr_log(WLR_ERROR,
 			"Unable to drop root (we shouldn't be able to restore it after setuid), refusing to start");
 		return false;