From 1914bd5b932636b2e04ce3ed5ce0029e04fabf95 Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sun, 9 Jan 2022 21:57:15 -0800
Subject: [PATCH] radvd: save pwnam if no user or root is passed

If -u is not passed, or -u root is passed, the is-config-writable by own
uid or own gid check is not needed, so skip the pwnam that it causes.

Reference: https://github.com/radvd-project/radvd/issues/165
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 radvd.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/radvd.c b/radvd.c
index 56c6807..d55838b 100644
--- a/radvd.c
+++ b/radvd.c
@@ -865,13 +865,6 @@ static int check_conffile_perm(const char *username, const char *conf_file)
 	}
 	fclose(fp);
 
-	if (!username)
-		username = "root";
-
-	struct passwd *pw = getpwnam(username);
-	if (!pw) {
-		return -1;
-	}
 
 	struct stat stbuf;
 	if (0 != stat(conf_file, &stbuf)) {
@@ -883,11 +876,19 @@ static int check_conffile_perm(const char *username, const char *conf_file)
 		return -1;
 	}
 
-	/* for non-root: must not be writable by self/own group */
-	if (strncmp(username, "root", 5) != 0 && ((stbuf.st_mode & S_IWGRP && pw->pw_gid == stbuf.st_gid) ||
-						  (stbuf.st_mode & S_IWUSR && pw->pw_uid == stbuf.st_uid))) {
-		flog(LOG_ERR, "Insecure file permissions (writable by self/group): %s", conf_file);
-		return -1;
+	if(username != NULL && strncmp(username, "root", 5) != 0) {
+		struct passwd *pw = getpwnam(username);
+		if (!pw) {
+			return -1;
+		}
+
+		/* for non-root: must not be writable by self/own group */
+		/* TODO: this should check supplementary groups as well, via getgroups and looping */
+		if ((stbuf.st_mode & S_IWGRP && pw->pw_gid == stbuf.st_gid) ||
+			(stbuf.st_mode & S_IWUSR && pw->pw_uid == stbuf.st_uid)) {
+			flog(LOG_ERR, "Insecure file permissions (writable by self/group): %s", conf_file);
+			return -1;
+		}
 	}
 
 	return 0;