Re: Review Request 119011: KInit: call setgroups(0, 0) before calling setgid()

Tue, 10 Nov 2015 20:37:41 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/119011/#review88231
-----------------------------------------------------------


This broke the ability of users to have more than one group (usermod), for 
groups like vboxusers and systemd-journal. Now, start_kdeinit unconditionally 
drops all groups and that's wrong.

It should call getgrouplist(3) and set those groups on the user.

Besides, I'm not convinced the rpmlint warning was correct.

- Thiago Macieira


On Julho 1, 2014, 10:21 a.m., Daniel Vrátil wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/119011/
> -----------------------------------------------------------
> 
> (Updated Julho 1, 2014, 10:21 a.m.)
> 
> 
> Review request for KDE Frameworks.
> 
> 
> Repository: kinit
> 
> 
> Description
> -------
> 
> While packaging kinit, we got a warning from rpmlint that start_kdeinit calls 
> setgid() without calling setgroups() first. From rpmlint:
> 
>    This executable is calling setuid and setgid without setgroups or 
> initgroups.
>    There is a high probability this mean it didn't relinquish all groups, and
>    this would be a potential security issue to be fixed. Seek POS36-C on the 
> web
>    for details about the problem.
> 
> The reasoning is that when you drop privileges from root to regular user, 
> there might be some extra groups left that, if not cleared, might grant the 
> process privileges to do superuser things.
> 
> The code does not check for return value, as the call will fail if we are not 
> a superuser.
> 
> This oneliner makes rpmlint happy and maybe prevents a security issue.
> 
> 
> Diffs
> -----
> 
>   src/start_kdeinit/start_kdeinit.c 07a28d3 
> 
> Diff: https://git.reviewboard.kde.org/r/119011/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Daniel Vrátil
> 
>


_______________________________________________
Kde-frameworks-devel mailing list
Kde-frameworks-devel@kde.org
https://mail.kde.org/mailman/listinfo/kde-frameworks-devel

Reply via email to