$OpenBSD: patch-packet_packet_c,v 1.2 2017/06/02 16:50:16 sthen Exp $

Index: packet/packet.c
--- packet/packet.c.orig
+++ packet/packet.c
@@ -23,6 +23,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <pwd.h>
 
 #ifdef HAVE_LIBCAP
 #include <sys/capability.h>
@@ -38,11 +39,25 @@ int drop_elevated_permissions(
 #ifdef HAVE_LIBCAP
     cap_t cap;
 #endif
+    struct passwd *pw;
 
-    /*  Drop any suid permissions granted  */
-    if (setgid(getgid()) || setuid(getuid())) {
+    if ((pw = getpwnam("_mtr")) == NULL) {
         return -1;
     }
+    if (chroot("/var/empty") == -1) {
+        return -1;
+    }
+    if (chdir("/") == -1) {
+        return -1;
+    }
+    if (pw) {
+        if (setgroups(1, &pw->pw_gid) == -1 ||
+            setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 ||
+            setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) {
+                return -1;
+        }
+    }
+    endpwent();
 
     if (geteuid() != getuid() || getegid() != getgid()) {
         return -1;
