--nextPart8938458.aWtBP7Zi3L Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Hi, While debugging p11-kit, I found out a different behaviour of __libc_enable_secure between Linux and Hurd. In particular: $ cat <frob-gid.c #include int main(void) { extern int __libc_enable_secure; printf("__libc_enable_secure =3D %d\n", __libc_enable_secure); return 0; } EOF $ cc -o frob-gid frob-gid.c $ ./frob-gid __libc_enable_secure =3D 0 Now we make frob-gid sgid, using another of the groups of the current user: $ groups users dialout [...] $ chown $(id -nu).dialout frob-gid $ chmod g+s frob-gid At this point, the output of frob-gid is 1 on Linux, while 0 on Hurd. __libc_enable_secure is set by checking for the EXEC_SECURE flag, which= =20 e.g. diskfs_S_file_exec sets before calling exec_exec. Reading=20 fshelp_exec_reauth makes me think this behaviour is somehow wanted, and= =20 this code (except fixes like 913d709e1) is basically doing that way for= decades. p11-kit uses __libc_enable_secure in its replacement for getauxval(AT_SECURE), falling back to issetugid (which we don't have) and then to getresuid (which we have). I don't have much knowledge in how this behaviour should be, so a) the current Hurd behaviour is fine and conformant, so p11-kit should= avoid using __libc_enable_secure for getauxval(AT_SECURE) b) the behaviour is wrong and should be fixed in Hurd ? Thanks, =2D-=20 Pino Toscano --nextPart8938458.aWtBP7Zi3L Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIVAwUAVY6RAi0ZHIhDsT9NAQilFg//ViwPP1UJgyS1S0xKIX07I9PANJKyE0v+ JujPPrCiuWHavnOvH3wSaojzw8wJmY6f18/UAofuHbeWj30nC+LdKHY6CWMbKIL8 RtWFuJ4ScYtMGUun2cVA1hzzf2cvsJWscXc9uw1CPBGnExkNoXjh3pLJq0VUYrQb eJdbqwGePuTRKnHqTRA6cOG/lYwd76/lflUGaJ5n12/4TDVosUOoNJc9MdyrOcD3 NAJTo9xtERGcSqND41vo77wrdinKBPZ1CPO4jHm7wH5zyzqTZDomiZsbW3q147bj NlUNmenoVvJVcgERlsmrlowC9B8OENxTPtICYAPY5y6xR5Jl74AoVNTeOIXfHhJA trycLm1nnRvsU3ZVfAYTUFOVXf0y5XyaRaIljesZZriEg1pojMT3QMJBGx7g78pc dY7kJqD7m5Fml0P+OI4apINtSh0u23qsym2aRmiSfQbQLGLp9Z2D9Mw938djhorg tH6wz0ULZc0/nalbVxFjW+eRppGAhEfaSeZTRE5Rbp7A2HAMm8yV8simh4953wDI gU7PPt+TIMDjH1aRpjiVyHZJdYBwKqNUGAKmfMJAlIGoIwU+fjeGbNmysaouJl+/ /nAFxn/+bbLs1SeXI2V5bPGclyL7qSDceTX9yLEBmv1q2LTWd9gwCIeoFsYchMJ4 dKKyJ5Qs9xY= =8z+t -----END PGP SIGNATURE----- --nextPart8938458.aWtBP7Zi3L--