Check that executable is not SUID/SGID for unrelated subcommands

2025-11-10 00:33:53 +09:00
parent 05a4f9ad1d
commit bd4791dc17
2 changed files with 26 additions and 0 deletions
--- a/src/core/common.rs
+++ b/src/core/common.rs
@@ -20,6 +20,23 @@ fn get_unix_groups(_user: &LibcUser) -> anyhow::Result<Vec<LibcGroup>> {
    Ok(vec![])
 }

+/// Check if the current executable is SUID or SGID.
+///
+/// If the check fails, an error is returned.
+pub fn executable_is_suid_or_sgid() -> anyhow::Result<bool> {
+    let result = std::env::current_exe()
+        .context("Failed to get current executable path")
+        .and_then(|executable| {
+            fs::metadata(executable).context("Failed to get executable metadata")
+        })
+        .context("Failed to check SUID/SGID bits on executable")
+        .map(|metadata| {
+            let mode = metadata.permissions().mode();
+            mode & 0o4000 != 0 || mode & 0o2000 != 0
+        })?;
+    Ok(result)
+}
+
 #[cfg(not(target_os = "macos"))]
 fn get_unix_groups(user: &LibcUser) -> anyhow::Result<Vec<LibcGroup>> {
    let user_cstr =