From f459fed4a80bc673899a7277067d3d847f2fb979 Mon Sep 17 00:00:00 2001
From: Johan Malm <jgm323@gmail.com>
Date: Fri, 23 Oct 2020 20:25:56 +0100
Subject: [PATCH] server: add drop_permissions() (issue #5)

---
 src/server.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/src/server.c b/src/server.c
index b19b17bc..3a858f66 100644
--- a/src/server.c
+++ b/src/server.c
@@ -9,6 +9,7 @@
 #include <wlr/types/wlr_gamma_control_v1.h>
 #include <wlr/types/wlr_primary_selection_v1.h>
 #include <wlr/types/wlr_screencopy_v1.h>
+#include "common/log.h"
 #include "layers.h"
 
 static struct wlr_compositor *compositor;
@@ -35,6 +36,22 @@ handle_signal(int signal, void *data)
 	}
 }
 
+static void
+drop_permissions(void)
+{
+	if (getuid() != geteuid() || getgid() != getegid()) {
+		if (setgid(getgid())) {
+			die("unable to drop root group");
+		}
+		if (setuid(getuid())) {
+			die("unable to drop root user");
+		}
+	}
+	if (setgid(0) != -1 || setuid(0) != -1) {
+		die("unable to drop root");
+	}
+}
+
 void
 server_init(struct server *server)
 {
@@ -62,6 +79,16 @@ server_init(struct server *server)
 		exit(EXIT_FAILURE);
 	}
 
+	/*
+	 * The wlroots library makes use of systemd's logind to handle sessions
+	 * and to allow compositors to run without elevated privileges.
+	 * If running without logind or elogind, users may choose to set the
+	 * setuid bit on the labwc executable despite associated security
+	 * implications. In order to support this, but limit the elevated
+	 * privileges as much as possible, we drop permissions at this point.
+	 */
+	drop_permissions();
+
 	/*
 	 * If we don't provide a renderer, autocreate makes a GLES2 renderer
 	 * for us. The renderer is responsible for defining the various pixel