Index | Thread | Search

From:
"Anthony J. Bentley" <bentley@openbsd.org>
Subject:
Unprivileged font cache: xenocara
To:
tech@openbsd.org
Date:
Tue, 01 Jul 2025 01:41:22 -0600

Download raw body.

Thread 
As mentioned in the other email, this diff has to be committed at the
same time as the src diff.

matthieu@ requested that fc-cache(1) automatically drop to the _fc-cache
user when run as root, so users don't accidentally set ownership of
/var/cache/fontconfig or its contents back to root. Since rpki-client(8)
does the same thing, I just copied the invocation.

On its own, this would break make release. The build runs fc-cache as
root, so if fc-cache automatically drops privileges, _fc-cache would
be unable to interact with a noperm filesystem. So, switch to BUILDUSER,
who can, and then chown to _fc-cache afterward.

ok?

diff dd403c0ad15b7afbf85456f4a63c1270196cf7ce 3e4a80d08b904d3c99d1a7c7038daaf844c0b548
commit - dd403c0ad15b7afbf85456f4a63c1270196cf7ce
commit + 3e4a80d08b904d3c99d1a7c7038daaf844c0b548
blob - 0a8ae9fbee3b2ac25e932e5f867d751e96df4fa5
blob + 45876996c3147726c57fad8e4e09237ef392c6ad
--- dist/fontconfig/fc-cache/fc-cache.c
+++ dist/fontconfig/fc-cache/fc-cache.c
@@ -45,6 +45,7 @@
 #ifdef HAVE_DIRENT_H
 #include <dirent.h>
 #endif
+#include <pwd.h>
 #include <string.h>
 #include <locale.h>
 
@@ -380,6 +381,19 @@ main (int argc, char **argv)
 	systemOnly = FcTrue;
     }
 
+    /* If started as root, priv-drop to _fc-cache */
+    if (getuid() == 0) {
+        struct passwd *pw;
+
+        pw = getpwnam("_fc-cache");
+        if (!pw)
+            errx(1, "no _fc-cache user to revoke to");
+        if (setgroups(1, &pw->pw_gid) == -1 ||
+            setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 ||
+            setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
+                err(1, "unable to revoke privs");
+    }
+
     if (pledge("stdio rpath wpath cpath flock", NULL) == -1)
         err(1, "pledge");
 
blob - 55f26f52846ce91a14eb5bfb39e1157647716751
blob + 7019da27f23ff0a52f444e877114d9a24e0670f9
--- font/alias/Makefile.bsd-wrapper
+++ font/alias/Makefile.bsd-wrapper
@@ -13,16 +13,25 @@ afterinstall:
 	chmod 644 ${DESTDIR}/usr/X11R6/lib/X11/fonts/${fdir}/fonts.scale
 .endfor
 	if test -z "$(DESTDIR)"; then \
+		chown ${BUILDUSER}:${WOBJGROUP} \
+		   ${DESTDIR}/var/cache/fontconfig; \
 		echo "fc-cache -s -v ${DESTDIR}/usr/X11R6/lib/X11/fonts";\
-		fc-cache -s -v ${DESTDIR}/usr/X11R6/lib/X11/fonts ;\
+		su ${BUILDUSER} -c \
+		   "fc-cache -s -v ${DESTDIR}/usr/X11R6/lib/X11/fonts" ;\
+		chown -R _fc-cache:_fc-cache \
+		   ${DESTDIR}/var/cache/fontconfig; \
 		chmod 644 ${DESTDIR}/var/cache/fontconfig/*; \
 	else \
 		echo "truncating font directories mtimes"; \
 		find "${DESTDIR}/usr/X11R6/lib/X11/fonts" -type d \
 		   -exec perl -e 'utime+(stat)[8,9],$$_ for @ARGV' {} + ;  \
+		chown ${BUILDUSER}:${WOBJGROUP} \
+		   ${DESTDIR}/var/cache/fontconfig; \
 		echo "fc-cache -y ${DESTDIR} -s -v /usr/X11R6/lib/X11/fonts";\
-		fc-cache -y ${DESTDIR} -s -v /usr/X11R6/lib/X11/fonts;\
-		chown root:wheel ${DESTDIR}/var/cache/fontconfig/*; \
+		su ${BUILDUSER} -c \
+		   "fc-cache -y ${DESTDIR} -s -v /usr/X11R6/lib/X11/fonts" ;\
+		chown -R _fc-cache:_fc-cache \
+		   ${DESTDIR}/var/cache/fontconfig/; \
 		chmod 644 ${DESTDIR}/var/cache/fontconfig/*; \
 	fi