-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
missing-call-to-setgroups-before-setuid #696
Comments
Are you sure? The code has been taken from Sway: https://github.com/swaywm/sway/blob/master/sway/main.c#L188 The use-case here is setting the SUID bit. As far as I know, this only modifies the effective user/group id, nothing else. Isn't that right? |
Yes I'm sure, there is a similar error in sway |
I am not 100% sure what a correct fix would be, but would gladly accept a PR. |
Relevant links:
For possibly relevant code: @DeadMozay could you link to an open issue in Sway about this? |
Wouldn't this manifest itself as wrong |
Output of
is
as my own user and
when it's setuid. What kind of situation makes |
here are the details, POS36-C |
Does Wayfire try to call setgroups anywhere to change the supplementary groups? |
Definitely not, I didn't even know what that is before this issue was opened. |
So I don't see how calling |
Alright, @DeadMozay thanks for the link, but if you read carefully, we need to setgroups only if we modify supplementatry groups, which we don't. |
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this means it didn't relinquish all groups, and
this would be a potential security issue to be fixed.
The text was updated successfully, but these errors were encountered: