----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/118667/#review60065 -----------------------------------------------------------
Ship it! Hopefully we never get into this code as root anyway, now that QCoreApplication prevents that. But ok, "just in case". - David Faure On June 11, 2014, 2:42 p.m., Dan Vrátil wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://git.reviewboard.kde.org/r/118667/ > ----------------------------------------------------------- > > (Updated June 11, 2014, 2:42 p.m.) > > > Review request for KDE Frameworks. > > > Repository: kcrash > > > Description > ------- > > While packaging kcrash, we got a warning from rpmlint that KCrash calls > setgid() without calling setgroups() first. From rpmlint: > > This executable is calling setuid and setgid without setgroups or > initgroups. > There is a high probability this mean it didn't relinquish all groups, and > this would be a potential security issue to be fixed. Seek POS36-C on the > web > for details about the problem. > > The reasoning is that when you drop privileges from root to regular user, > there might be some extra groups left that, if not cleared, might grant the > process privileges to do superuser things. > > The code does not check for return value, as the call will fail if we are not > a superuser. > > This oneliner makes rpmlint happy and maybe prevents a security issue. > > > Diffs > ----- > > src/kcrash.cpp f05385b > > Diff: https://git.reviewboard.kde.org/r/118667/diff/ > > > Testing > ------- > > > Thanks, > > Dan Vrátil > >
_______________________________________________ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
