> As
> I understand it, this is the POSIX way. Anyway, I'm going to prepare
> a
> patch.
I did some more testing and it seems this simple patch fixes the issue:
--- calendar.c 2021-12-07 17:53:16.044315761 +0100
+++ calendar.c 2021-12-07 08:59:20.293726904 +0100
@@ -190,6 +190,8 @@
case 0: /* child */
(void)setpgid(getpid(), getpid());
(void)setlocale(LC_ALL, "");
+ if (setgid(pw->pw_gid) != 0 ||
setuid(pw->pw_uid) != 0)
+ err(1, "unable to switch to
user %u group %u", pw->pw_uid, pw->pw_gid);
if (acstat) {
if (chdir(pw->pw_dir) ||
stat(calendarFile, &sbuf)
!= 0 ||
Any comments?
@security team: Do you want me to prepare a fix for stable, too?
Michael
--
Michael Meskes
Michael at Fam-Meskes dot De
Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org
