On Mon, Sep 16, 2002 at 01:07:35PM +0200, Pawel Jakub Dawidek wrote:
> +> void
> +> delgroup(struct proc *p, gid_t gid)
> +> {
> [...]
> +>    setsugid(p);    /* XXX: Have to be here? */
> +> }
> 
> When I'm removing group should I call setsugid() and set P_SUGID flag?
> I think that in delgroup() this shouln't be done. Am I right?
Nope. Removing some groups might also increase process privileges.
A trivial example:

root@vanity ~#echo blah > /tmp/file
root@vanity ~#chmod 604 /tmp/file
root@vanity ~#ls -l /tmp/file
-rw----r--  1 root  wheel  5 17 Wrz 11:02 /tmp/file

diavul@vanity ~$id
uid=666(diavul) gid=666(diavul) groups=666(diavul), 0(wheel)
diavul@vanity ~$cat /tmp/file
cat: /tmp/file: Permission denied

vanity% id
uid=777(michau) gid=777(michau) groups=777(michau)
vanity% cat /tmp/file
blah

> But in other hand setsugid() is always called after setgroups().
Now You know why ;)


-- 
Michał Belczyk

Attachment: msg36918/pgp00000.pgp
Description: PGP signature

Reply via email to