From bb0ed491b31f4c82934abb5c9bbc27bfc1354125 Mon Sep 17 00:00:00 2001 From: Daniel Markstedt Date: Wed, 6 May 2026 21:45:58 +0200 Subject: [PATCH] CVE-2026-44059,CVE-2026-7835: libatalk/util: fix privilege toggle and log format Reported-by: @00redbeer Signed-off-by: Daniel Markstedt --- libatalk/util/unix.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/libatalk/util/unix.c b/libatalk/util/unix.c index 5bfbbf326..2024d3d9f 100644 --- a/libatalk/util/unix.c +++ b/libatalk/util/unix.c @@ -168,17 +168,22 @@ int daemonize(void) } static uid_t saved_uid = -1; +static int root_nesting = 0; /*! - * seteuid(0) and back, if either fails and panic != 0 we PANIC + * seteuid(0) and back, if either fails and panic != 0 we PANIC. + * Nesting is tracked: only the outermost become_root() elevates privileges + * and only the matching unbecome_root() drops them. */ void become_root(void) { if (getuid() == 0) { - saved_uid = geteuid(); + if (root_nesting++ == 0) { + saved_uid = geteuid(); - if (seteuid(0) != 0) { - AFP_PANIC("Can't seteuid(0)"); + if (seteuid(0) != 0) { + AFP_PANIC("Can't seteuid(0)"); + } } } } @@ -186,11 +191,17 @@ void become_root(void) void unbecome_root(void) { if (getuid() == 0) { - if (saved_uid == -1 || seteuid(saved_uid) < 0) { - AFP_PANIC("Can't seteuid back"); + if (root_nesting <= 0) { + AFP_PANIC("unbecome_root: nesting underflow"); } - saved_uid = -1; + if (--root_nesting == 0) { + if (saved_uid == -1 || seteuid(saved_uid) < 0) { + AFP_PANIC("Can't seteuid back"); + } + + saved_uid = -1; + } } } @@ -711,7 +722,7 @@ int set_groups(AFPObj *obj, struct passwd *pwd) } if (NULL == (obj->groups = calloc(obj->ngroups, sizeof(gid_t)))) { - LOG(log_error, logtype_afpd, "login: %s calloc: %d", obj->ngroups); + LOG(log_error, logtype_afpd, "login: calloc(%d) failed", obj->ngroups); return -1; }