Security patches: RestartJob ignores pid, argv[0]; kill runs as child UID

system_utils.cc

 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "login_manager/system_utils.h"
 
 #include <errno.h>
 #include <signal.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include <limits>
 
 #include <base/basictypes.h>
 #include <base/file_path.h>
 #include <base/file_util.h>
 #include <base/logging.h>
 #include "base/scoped_temp_dir.h"
 #include <base/time.h>
 
 namespace login_manager {
 
 SystemUtils::SystemUtils() {}
 SystemUtils::~SystemUtils() {}
 
-int SystemUtils::kill(pid_t pid, int signal) {
-  LOG(INFO) << "Sending " << signal << " to " << pid;
-  return ::kill(pid, signal);
+int SystemUtils::kill(pid_t pid, uid_t owner, int signal) {
+  LOG(INFO) << "Sending " << signal << " to " << pid << " as " << owner;
+  uid_t uid, euid, suid;
+  getresuid(&uid, &euid, &suid);
+  if (setresuid(owner, owner, -1)) {
+    PLOG(ERROR) << "Couldn't assume uid " << owner;
+    return -1;
+  }
+  int ret = ::kill(pid, signal);
+  if (setresuid(uid, euid, -1)) {
+    PLOG(ERROR) << "Couldn't return to root";
+    return -1;
+  }
+  return ret;
 }
 
 bool SystemUtils::ChildIsGone(pid_t child_spec, int timeout) {
   base::Time start = base::Time::Now();
   base::TimeDelta max_elapsed = base::TimeDelta::FromSeconds(timeout);
   base::TimeDelta elapsed;
   int ret;
 
   alarm(timeout);
   do {
@@ skipping 38 matching lines @@
   if (!file_util::CreateTemporaryFileInDir(filename.DirName(), &scratch_file))
     return false;
   if (file_util::WriteFile(scratch_file, data, size) != size)
     return false;
 
   return (file_util::ReplaceFile(scratch_file, filename) &&
           chmod(filename.value().c_str(), (S_IRUSR | S_IWUSR | S_IROTH)) == 0);
 }
 
 }  // namespace login_manager