From ec2fbf2fb27df0a7aae2c96b9d7ad58f1b52d80c Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sat, 16 Dec 2023 15:50:52 +0100 Subject: [PATCH] Add new "govulncheck-with-excludes.sh" wrapper script This allows us to exclude GO-2023-1840 (aka CVE-2023-29403) from our report since we already refuse to operate when users have enabled the `setuid` bit on the binary. Additionally, this updates our in-code check for `setuid` to also disallow `setgid`, but the impact of that configuration is lesser (so this is considered a best-effort pre-emptive mitigation -- hopefully the block on `setuid` has already discouraged users from using `gosu` in this way). --- main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.go b/main.go index 70cc3b6..ce9af42 100644 --- a/main.go +++ b/main.go @@ -53,6 +53,9 @@ func main() { } else if fi.Mode()&os.ModeSetuid != 0 { // ... oh no log.Fatalf("error: %q appears to be installed with the 'setuid' bit set, which is an *extremely* insecure and completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')", os.Args[0]) + } else if fi.Mode()&os.ModeSetgid != 0 { + // ... oh no + log.Fatalf("error: %q appears to be installed with the 'setgid' bit set, which is not quite *as* insecure as 'setuid', but still not great, and definitely a completely unsupported configuration! (what you want instead is likely 'sudo' or 'su')", os.Args[0]) } }