From ab511bb0772652761c322e2a53ed93a546dc08d8 Mon Sep 17 00:00:00 2001
From: Ronald Chan <ronalchn@gmail.com>
Date: Thu, 21 Nov 2013 16:49:04 +1300
Subject: [PATCH] isolate: Update from
 https://github.com/NZOI/moe-cms/commit/ee98549208e24ab9e4c1ce414c09c202f96d8405

drop root privileges, use real user id to open metafile - security issue - can be used for privilege escalation attacks for users permitted

close metafile to prevent box_inside writing false data to it - see https://github.com/ronalchn/isolate-cheater
---
 isolate/isolate.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/isolate/isolate.c b/isolate/isolate.c
index 37b34f7f97..c12d34d9cb 100644
--- a/isolate/isolate.c
+++ b/isolate/isolate.c
@@ -94,7 +94,9 @@ meta_open(const char *name)
       metafile = stdout;
       return;
     }
+  setreuid(geteuid(), getuid());
   metafile = fopen(name, "w");
+  setreuid(geteuid(), getuid());
   if (!metafile)
     die("Failed to open metafile '%s'",name);
 }
@@ -1251,6 +1253,7 @@ box_inside(void *arg)
   char **args = arg;
   write_errors_to_fd = error_pipes[1];
   close(error_pipes[0]);
+  meta_close();
 
   cg_enter();
   setup_root();