Merge pull request #335 from greenbone/fix/gsad-chroot-working-directory

bjoernricks · web-flow · commit 2dfda857a1ed · 2026-02-24T08:29:38.000+01:00
fix: chdir("/") after chroot to fix static path resolution
diff --git a/src/gsad.c b/src/gsad.c
@@ -1264,7 +1264,7 @@ drop_privileges (struct passwd *user_pw)
 static int
 chroot_drop_privileges (gboolean do_chroot, const gchar *drop, const gchar *dir)
 {
-  struct passwd *user_pw;
+  struct passwd *user_pw = NULL;
 
   if (drop)
     {
@@ -1277,8 +1277,6 @@ chroot_drop_privileges (gboolean do_chroot, const gchar *drop, const gchar *dir)
           return 1;
         }
     }
-  else
-    user_pw = NULL;
 
   if (do_chroot)
     {
@@ -1290,28 +1288,34 @@ chroot_drop_privileges (gboolean do_chroot, const gchar *drop, const gchar *dir)
           return 1;
         }
       set_chroot_state (1);
+
+      if (chdir ("/"))
+        {
+          g_critical ("failed to change to \"/\" after chroot: %s",
+                      strerror (errno));
+          return 1;
+        }
+
       g_info ("Chrooted to \"%s\"", dir);
     }
-
-  if (user_pw)
+  else
     {
-      if (drop_privileges (user_pw) == FALSE)
+      if (chdir (dir))
         {
-          g_critical ("Failed to drop privileges");
+          g_critical ("failed to change to \"%s\": %s", dir, strerror (errno));
           return 1;
         }
-      else
-        g_info ("Dropped privileges to user \"%s\" (uid: %d, gid: %d)", drop,
-                user_pw->pw_uid, user_pw->pw_gid);
+      g_info ("Serving from directory %s", dir);
     }
 
-  if (!do_chroot)
+  if (user_pw)
     {
-      if (chdir (dir))
+      if (drop_privileges (user_pw) == FALSE)
         {
-          g_critical ("failed to change to \"%s\": %s", dir, strerror (errno));
+          g_critical ("Failed to drop privileges");
           return 1;
         }
+
       g_debug ("Working directory is %s", dir);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1264,7 +1264,7 @@ drop_privileges (struct passwd *user_pw)`
`1264`	`1264`	`static int`
`1265`	`1265`	`chroot_drop_privileges (gboolean do_chroot, const gchar drop, const gchar dir)`
`1266`	`1266`	`{`
`1267`		`- struct passwd *user_pw;`
	`1267`	`+ struct passwd *user_pw = NULL;`
`1268`	`1268`
`1269`	`1269`	`if (drop)`
`1270`	`1270`	`{`
`@@ -1277,8 +1277,6 @@ chroot_drop_privileges (gboolean do_chroot, const gchar drop, const gchar dir)`
`1277`	`1277`	`return 1;`
`1278`	`1278`	`}`
`1279`	`1279`	`}`
`1280`		`- else`
`1281`		`- user_pw = NULL;`
`1282`	`1280`
`1283`	`1281`	`if (do_chroot)`
`1284`	`1282`	`{`
`@@ -1290,28 +1288,34 @@ chroot_drop_privileges (gboolean do_chroot, const gchar drop, const gchar dir)`
`1290`	`1288`	`return 1;`
`1291`	`1289`	`}`
`1292`	`1290`	`set_chroot_state (1);`
	`1291`	`+`
	`1292`	`+ if (chdir ("/"))`
	`1293`	`+ {`
	`1294`	`+ g_critical ("failed to change to \"/\" after chroot: %s",`
	`1295`	`+ strerror (errno));`
	`1296`	`+ return 1;`
	`1297`	`+ }`
	`1298`	`+`
`1293`	`1299`	`g_info ("Chrooted to \"%s\"", dir);`
`1294`	`1300`	`}`
`1295`		`-`
`1296`		`- if (user_pw)`
	`1301`	`+ else`
`1297`	`1302`	`{`
`1298`		`- if (drop_privileges (user_pw) == FALSE)`
	`1303`	`+ if (chdir (dir))`
`1299`	`1304`	`{`
`1300`		`- g_critical ("Failed to drop privileges");`
	`1305`	`+ g_critical ("failed to change to \"%s\": %s", dir, strerror (errno));`
`1301`	`1306`	`return 1;`
`1302`	`1307`	`}`
`1303`		`- else`
`1304`		`- g_info ("Dropped privileges to user \"%s\" (uid: %d, gid: %d)", drop,`
`1305`		`- user_pw->pw_uid, user_pw->pw_gid);`
	`1308`	`+ g_info ("Serving from directory %s", dir);`
`1306`	`1309`	`}`
`1307`	`1310`
`1308`		`- if (!do_chroot)`
	`1311`	`+ if (user_pw)`
`1309`	`1312`	`{`
`1310`		`- if (chdir (dir))`
	`1313`	`+ if (drop_privileges (user_pw) == FALSE)`
`1311`	`1314`	`{`
`1312`		`- g_critical ("failed to change to \"%s\": %s", dir, strerror (errno));`
	`1315`	`+ g_critical ("Failed to drop privileges");`
`1313`	`1316`	`return 1;`
`1314`	`1317`	`}`
	`1318`	`+`
`1315`	`1319`	`g_debug ("Working directory is %s", dir);`
`1316`	`1320`	`}`
`1317`	`1321`