1 files changed, 15 insertions, 23 deletions

diff --git a/src/unistd/setxid.c b/src/unistd/setxid.c
index 2f651a11..9e37ddc4 100644
--- a/src/unistd/setxid.c
+++ b/src/unistd/setxid.c
@@ -1,43 +1,35 @@
 #include <unistd.h>
 #include <errno.h>
-#include <sys/resource.h>
 #include "syscall.h"
 #include "libc.h"
+#include "pthread_impl.h"
 
 struct ctx {
 	int id, eid, sid;
-	int nr, rlim, err;
+	int nr, err;
 };
 
-/* We jump through hoops to eliminate the possibility of partial failures. */
-
-int __setrlimit(int, const struct rlimit *);
-
 static void do_setxid(void *p)
 {
 	struct ctx *c = p;
-	if (c->err) return;
-	if (c->rlim && c->id >= 0 && c->id != getuid()) {
-		struct rlimit inf = { RLIM_INFINITY, RLIM_INFINITY }, old;
-		getrlimit(RLIMIT_NPROC, &old);
-		if ((c->err = -__setrlimit(RLIMIT_NPROC, &inf)) && libc.threads_minus_1)
-			return;
-		c->err = -__syscall(c->nr, c->id, c->eid, c->sid);
-		__setrlimit(RLIMIT_NPROC, &old);
-		return;
+	if (c->err>0) return;
+	int ret = -__syscall(c->nr, c->id, c->eid, c->sid);
+	if (ret && !c->err) {
+		/* If one thread fails to set ids after another has already
+		 * succeeded, forcibly killing the process is the only safe
+		 * thing to do. State is inconsistent and dangerous. Use
+		 * SIGKILL because it is uncatchable. */
+		__block_all_sigs(0);
+		__syscall(SYS_kill, __syscall(SYS_getpid), SIGKILL);
 	}
-	c->err = -__syscall(c->nr, c->id, c->eid, c->sid);
+	c->err = ret;
 }
 
 int __setxid(int nr, int id, int eid, int sid)
 {
-	struct ctx c = { .nr = nr, .id = id, .eid = eid, .sid = sid };
-	switch (nr) {
-	case SYS_setuid:
-	case SYS_setreuid:
-	case SYS_setresuid:
-		c.rlim = 1;
-	}
+	/* err is initially nonzero so that failure of the first thread does not
+	 * trigger the safety kill above. */
+	struct ctx c = { .nr = nr, .id = id, .eid = eid, .sid = sid, .err = -1 };
 	__synccall(do_setxid, &c);
 	if (c.err) {
 		errno = c.err;