From a76979cabd0c7ee0ddc1ca87bc3f72bc12f0c86f Mon Sep 17 00:00:00 2001 From: Ian Dall Date: Thu, 24 Apr 2025 01:31:48 +0930 Subject: [PATCH] Set real uid to effective uid. Modprobe may be configured to use shell scripts. Shells set euid to ruid to protect against setuid shell scripts. so we need to set ruid = euid before spawning modprobe. --- modprobe-utils/nvidia-modprobe-utils.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/modprobe-utils/nvidia-modprobe-utils.c b/modprobe-utils/nvidia-modprobe-utils.c index 292093b..aa70602 100644 --- a/modprobe-utils/nvidia-modprobe-utils.c +++ b/modprobe-utils/nvidia-modprobe-utils.c @@ -181,6 +181,7 @@ static int modprobe_helper(const int print_errors, const char *module_name, { char modprobe_path[NV_PROC_MODPROBE_PATH_MAX]; int status = 1; + int euid; struct stat file_status; pid_t pid; const char * const argv[] = { "modprobe", module_name, NULL }; @@ -217,11 +218,15 @@ static int modprobe_helper(const int print_errors, const char *module_name, /* Only attempt to load the kernel module if root. */ - if (geteuid() != 0) + if ((euid = geteuid()) != 0) { - return 0; + fprintf(stderr, "euid (%d) not root\n", euid); + return 0; } + /* Modprobe might call shell scripts and shells revert to real uid */ + setuid(euid); /* Set ruid = euid */ + /* * Before attempting to load the module, look for any NVIDIA PCI devices. * If none exist, exit instead of attempting the modprobe, because doing so @@ -300,7 +305,8 @@ static int modprobe_helper(const int print_errors, const char *module_name, /* Fork and exec modprobe from the child process. */ - file_actions = silence_process_actions(); + /* file_actions = silence_process_actions(); */ + file_actions = NULL; /* Warnings, if they occur, are helpful! */ /* * POSIX specifies that the argv and envp arguments are arrays of non-const