<html>
<body>
<div style="font-family: Verdana, Arial, Helvetica, Sans-Serif;">
<table bgcolor="#f9f3c9" width="100%" cellpadding="12" style="border: 1px #c9c399 solid; border-radius: 6px; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tr>
<td>
This is an automatically generated e-mail. To reply, visit:
<a href="https://git.reviewboard.kde.org/r/119011/">https://git.reviewboard.kde.org/r/119011/</a>
</td>
</tr>
</table>
<br />
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">This broke the ability of users to have more than one group (usermod), for groups like vboxusers and systemd-journal. Now, start_kdeinit unconditionally drops all groups and that's wrong.</p>
<p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">It should call getgrouplist(3) and set those groups on the user.</p>
<p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">Besides, I'm not convinced the rpmlint warning was correct.</p></pre>
<br />
<p>- Thiago Macieira</p>
<br />
<p>On Julho 1st, 2014, 10:21 a.m. UTC, Daniel Vrátil wrote:</p>
<table bgcolor="#fefadf" width="100%" cellspacing="0" cellpadding="12" style="border: 1px #888a85 solid; border-radius: 6px; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tr>
<td>
<div>Review request for KDE Frameworks.</div>
<div>By Daniel Vrátil.</div>
<p style="color: grey;"><i>Updated Julho 1, 2014, 10:21 a.m.</i></p>
<div style="margin-top: 1.5em;">
<b style="color: #575012; font-size: 10pt;">Repository: </b>
kinit
</div>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Description </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
<tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">While packaging kinit, we got a warning from rpmlint that start_kdeinit calls setgid() without calling setgroups() first. From rpmlint:
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.
The reasoning is that when you drop privileges from root to regular user, there might be some extra groups left that, if not cleared, might grant the process privileges to do superuser things.
The code does not check for return value, as the call will fail if we are not a superuser.
This oneliner makes rpmlint happy and maybe prevents a security issue.</pre>
</td>
</tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Diffs</b> </h1>
<ul style="margin-left: 3em; padding-left: 0;">
<li>src/start_kdeinit/start_kdeinit.c <span style="color: grey">(07a28d3)</span></li>
</ul>
<p><a href="https://git.reviewboard.kde.org/r/119011/diff/" style="margin-left: 3em;">View Diff</a></p>
</td>
</tr>
</table>
</div>
</body>
</html>