setgroups() not called before setuid()
Brought to you by:
jmaggard
Menu
▾
▴
1 Attachments
#356 setgroups() not called before setuid()
When dropping privileges at tree/minidlna.c:1072, setuid() is called without the recommended setgroups() call preceding it.
See the following links for more detailed discussion on why that's recommended.
https://security.stackexchange.com/questions/122141/always-setgroups-before-setuid
CERT C rule POS36-C
Dropping Privileges in setuid Programs
I propose the attached patch to address this issue.