[core] check success of setuid,setgid,setgroups (CVE-2013-4559)

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2923 152afb58-edef-0310-8abb-c4023f1b3aa9

2 files changed, 13 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index eb98e299..69b01e64 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ NEWS
   * [doc] update ssl.cipher-list recommendation
   * [stat-cache] FAM: fix use after free (CVE-2013-4560)
   * [stat-cache] fix FAM cleanup/fdevent handling
+  * [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
 
 - 1.4.33 - 2013-09-27
   * mod_fastcgi: fix mix up of "mode" => "authorizer" in other fastcgi configs (fixes #2465, thx peex)
diff --git a/src/server.c b/src/server.c
index 2d825bbc..e2b42eb0 100644
--- a/src/server.c
+++ b/src/server.c
@@ -820,8 +820,14 @@ int main (int argc, char **argv) {
 		 * to /etc/group
 		 * */
 		if (NULL != grp) {
-			setgid(grp->gr_gid);
-			setgroups(0, NULL);
+			if (-1 == setgid(grp->gr_gid)) {
+				log_error_write(srv, __FILE__, __LINE__, "ss", "setgid failed: ", strerror(errno));
+				return -1;
+			}
+			if (-1 == setgroups(0, NULL)) {
+				log_error_write(srv, __FILE__, __LINE__, "ss", "setgroups failed: ", strerror(errno));
+				return -1;
+			}
 			if (srv->srvconf.username->used) {
 				initgroups(srv->srvconf.username->ptr, grp->gr_gid);
 			}
@@ -844,7 +850,10 @@ int main (int argc, char **argv) {
 #ifdef HAVE_PWD_H
 		/* drop root privs */
 		if (NULL != pwd) {
-			setuid(pwd->pw_uid);
+			if (-1 == setuid(pwd->pw_uid)) {
+				log_error_write(srv, __FILE__, __LINE__, "ss", "setuid failed: ", strerror(errno));
+				return -1;
+			}
 		}
 #endif
 #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)