Review Request 119011: KInit: call setgroups(0, 0) before calling setgid()

Dan Vrátil dvratil at redhat.com
Sun Jun 29 10:50:04 UTC 2014


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/119011/
-----------------------------------------------------------

Review request for KDE Frameworks.


Repository: kinit


Description
-------

While packaging kinit, we got a warning from rpmlint that start_kdeinit calls setgid() without calling setgroups() first. From rpmlint:

   This executable is calling setuid and setgid without setgroups or initgroups.
   There is a high probability this mean it didn't relinquish all groups, and
   this would be a potential security issue to be fixed. Seek POS36-C on the web
   for details about the problem.

The reasoning is that when you drop privileges from root to regular user, there might be some extra groups left that, if not cleared, might grant the process privileges to do superuser things.

The code does not check for return value, as the call will fail if we are not a superuser.

This oneliner makes rpmlint happy and maybe prevents a security issue.


Diffs
-----

  src/start_kdeinit/start_kdeinit.c 07a28d3 

Diff: https://git.reviewboard.kde.org/r/119011/diff/


Testing
-------


Thanks,

Dan Vrátil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20140629/0243667e/attachment-0001.html>


More information about the Kde-frameworks-devel mailing list