deescalate privilege to create and open files

nad2040 · nad2040 · commit 8cdd8fe8df0a · 2026-01-31T01:04:50.000-05:00
diff --git a/src/cli.rs b/src/cli.rs
@@ -1,13 +1,12 @@
 use anyhow::Result;
 use clap::{Parser, Subcommand};
 use std::{
-    fs::{self, File},
+    fs::{self, OpenOptions},
     io::{self, BufWriter, Write},
-    os::unix::fs::chown,
-    path::{Path, PathBuf},
+    path::PathBuf,
 };
 
-use crate::invoker_permissions;
+use crate::utils::PrivGuard;
 
 #[derive(Parser, Debug)]
 #[command(name = "trace_v3", arg_required_else_help = true)]
@@ -56,12 +55,7 @@ fn make_output(target: &str) -> Result<Output> {
     match target {
         "-" => Ok(Box::new(io::stdout())),
         path => {
-            let (uid, gid) = invoker_permissions()?;
-
-            let set_owner = |path: &Path| {
-                chown(path, Some(uid), Some(gid))
-                    .expect("Failed to change file ownership to non-sudo user");
-            };
+            let _guard = PrivGuard::drop_to_user()?;
 
             let mut file_path = PathBuf::from(path);
 
@@ -70,14 +64,17 @@ fn make_output(target: &str) -> Result<Output> {
             }
 
             if let Some(parent) = file_path.parent() {
-                if !parent.exists() {
+                if !parent.as_os_str().is_empty() {
                     fs::create_dir_all(parent)?;
-                    set_owner(&parent);
                 }
             }
 
-            let file = File::create(&file_path)?;
-            set_owner(&file_path);
+            let file = OpenOptions::new()
+                .write(true)
+                .create(true)
+                .truncate(true)
+                .open(&path)?;
+
             Ok(Box::new(BufWriter::new(file)))
         }
     }
diff --git a/src/main.rs b/src/main.rs
@@ -5,27 +5,29 @@ use libc::{
     c_int, kill, sigaction, sigaddset, sigemptyset, sighandler_t, sigprocmask, sigset_t, sigwait,
     waitpid, SA_NOCLDSTOP, SA_RESTART, SIGCHLD, SIGUSR1, SIG_BLOCK, SIG_UNBLOCK,
 };
-use nix::unistd::{getgid, getuid, setgroups, setresgid, setresuid, Gid, Uid};
+use nix::unistd::{setgroups, setresgid, setresuid, Gid, Uid};
 use std::ffi::CStr;
 use std::ffi::CString;
 use std::io::{Error, ErrorKind};
 use std::mem::{size_of, zeroed, MaybeUninit};
 use std::os::raw::c_char;
 use std::os::unix::io::RawFd;
+use std::ptr;
 use std::sync::mpsc;
 use std::thread;
 use std::time::Duration;
-use std::{env, ptr};
 
 mod cli;
 mod dep_tracer;
 mod installer;
+mod utils;
 
 use crate::cli::{Cli, Commands, Outputs};
 use crate::dep_tracer::event_stream_handler;
 use crate::dep_tracer::SyscallEvent;
 use crate::dep_tracer::{CTXT, LOGS, SETS};
 use crate::installer::installer;
+use crate::utils::invoker_permissions;
 use trace_v3::sys_enter_info_t;
 use trace_v3::sys_exit_info_t;
 
@@ -36,18 +38,6 @@ extern "C" fn sigchld_handler(_sig: i32) {
     RUNNING.store(false, Ordering::Relaxed);
 }
 
-fn invoker_permissions() -> Result<(u32, u32)> {
-    let uid = match env::var("SUDO_UID").ok() {
-        Some(uid) => uid.parse()?,
-        None => getuid().as_raw(), // if invoking with setuid, use ruid
-    };
-    let gid = match env::var("SUDO_GID").ok() {
-        Some(gid) => gid.parse()?,
-        None => getgid().as_raw(), // if invoking with setuid, use rgid
-    };
-    Ok((uid, gid))
-}
-
 fn monitor_pid(pid: i32) -> std::io::Result<RawFd> {
     unsafe {
         let fd = libc::syscall(libc::SYS_pidfd_open, pid, 0);
diff --git a/src/utils.rs b/src/utils.rs
@@ -0,0 +1,39 @@
+use anyhow::Result;
+use nix::unistd::{geteuid, getgid, getuid, setresuid, Uid};
+use std::{env, io};
+
+pub fn invoker_permissions() -> Result<(u32, u32)> {
+    let uid = match env::var("SUDO_UID").ok() {
+        Some(uid) => uid.parse()?,
+        None => getuid().as_raw(), // if invoking with setuid, use ruid
+    };
+    let gid = match env::var("SUDO_GID").ok() {
+        Some(gid) => gid.parse()?,
+        None => getgid().as_raw(), // if invoking with setuid, use rgid
+    };
+    Ok((uid, gid))
+}
+
+/// Safely drops effective privileges to the Real User ID while held.
+/// Restores them to the Saved UID (root) when dropped.
+pub struct PrivGuard {
+    saved_euid: Uid,
+}
+
+impl PrivGuard {
+    pub fn drop_to_user() -> Result<Self> {
+        let ruid = getuid();
+        let euid = geteuid();
+        // setresuid(real, effective, saved)
+        setresuid(ruid, ruid, euid).map_err(|e| io::Error::new(io::ErrorKind::Other, e))?;
+        Ok(PrivGuard { saved_euid: euid })
+    }
+}
+
+impl Drop for PrivGuard {
+    fn drop(&mut self) {
+        let ruid = getuid();
+        // Restore effective UID to the saved UID (root)
+        let _ = setresuid(ruid, self.saved_euid, self.saved_euid);
+    }
+}
