#117 attempt to add setgroups as needed (needs testsuite)

[Anonymous]

Originally created by: chassell

setgroups needs to be called to eliminate highly powerful group permissions from a later setegid call.

this closes [#74]

[Anonymous]

Originally posted by: chassell

I'm hesitant for a moment because the author of the issue mentioned an automated scanner.

The automated scanner, rightfully so, noted that any change out from a highly privileged state may bring extra group access along ... or mark things with a group that the calling user doesn't have. Any full login adds a big list of groups that are all available at once ... and often forgotten when uid/gid are changed.

However one of the places I changed is, apparently, the use of "seteuid(0)" and then back to "seteuid(getuid())" ... with the same for groups. If someone is gaining root for a brief moment, the entire list of groups are not being added in.

The question really is more a matter of "did this program get tainted in some file descriptor" or some other matter ... but that's just a question for root-using-programs and nothing affected the set of groups.

On 9/16/19 8:52 PM, Dustin J. Mitchell wrote:

@djmitche commented on this pull request.

This looks sensible at a quick glance, but it's been a long time since I was deeply involved in UNIX permissions.

[Anonymous]

Originally posted by: chassell

this needs a test suite run on it... is what.

[Anonymous]

Ticket changed by: chassell

• status: open --> closed