Add new "govulncheck-with-excludes.sh" wrapper script

This allows us to exclude GO-2023-1840 (aka CVE-2023-29403) from our report since we already refuse to operate when users have enabled the `setuid` bit on the binary. Additionally, this updates our in-code check for `setuid` to also disallow `setgid`, but the impact of that configuration is lesser (so this is considered a best-effort pre-emptive mitigation -- hopefully the block on `setuid` has already discouraged users from using `gosu` in this way).
crazy-max · Dec 16, 2023 · ec2fbf2 · ec2fbf2
1 parent 8da30b1
commit ec2fbf2
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/main.go b/main.go
@@ -53,6 +53,9 @@ func main() {
 		} else if fi.Mode()&os.ModeSetuid != 0 {
 			// ... oh no
 			log.Fatalf("error: %q appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')", os.Args[0])
+		} else if fi.Mode()&os.ModeSetgid != 0 {
+			// ... oh no
+			log.Fatalf("error: %q appears to be installed with the 'setgid' bit set, which is not quite *as* insecure as 'setuid', but still not great, and definitely a completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')", os.Args[0])
 		}
 	}