From kde-devel  Wed Apr 30 14:21:52 2014
From: Jan Grulich <jgrulich () redhat ! com>
Date: Wed, 30 Apr 2014 14:21:52 +0000
To: kde-devel
Subject: pam-kwallet - call setgroups before calling setuid/setgid
Message-Id: <4744767.llr2mP1CaE () localhost ! localdomain>
X-MARC-Message: https://marc.info/?l=kde-devel&m=139886774823392
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--nextPart3465386.BxDMAQtf7n"

This is a multi-part message in MIME format.

--nextPart3465386.BxDMAQtf7n
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

Hi,

here is a simple patch taken from libuv [1] or sslh [2]. I've found this 
problem when I was doing package review and rpmlint was yelling on me.

Here is the original rpmlint error:
error E: missing-call-to-setgroups /lib/security/pam_kwallet.so

I was trying to find what does it mean and found the solution. I've also tested 
it with rpmlint again and no error shows up.

[1] http://goo.gl/lCfFnV
[2] http://goo.gl/auW6UL

Cheers,
Jan

-- 
Jan Grulich 
Red Hat Czech, s.r.o
jgrulich@redhat.com
--nextPart3465386.BxDMAQtf7n
Content-Disposition: attachment; filename="pam-kwallet.patch"
Content-Transfer-Encoding: 7Bit
Content-Type: text/x-patch; charset="UTF-8"; name="pam-kwallet.patch"

diff --git pam_kwallet.c pam_kwallet.c
index ed0a89f..1873aae 100644
--- pam_kwallet.c
+++ pam_kwallet.c
@@ -22,6 +22,7 @@
 #include <unistd.h>
 #include <stdlib.h>
 #include <errno.h>
+#include <grp.h>
 
 #define PAM_SM_PASSWORD
 #define PAM_SM_SESSION
@@ -283,6 +284,15 @@ static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toW
     //This is the side of the pipe PAM will send the hash to
     close (toWalletPipe[1]);
 
+    /* When dropping privileges from root, the `setgroups` call will
+    * remove any extraneous groups. If we don't call this, then
+    * even though our uid has dropped, we may still have groups
+    * that enable us to do super-user things. This will fail if we
+    * aren't root, so don't bother checking the return value, this
+    * is just done as an optimistic privilege dropping function.
+    */
+    setgroups(0, NULL);
+
     //Change to the user in case we are not it yet
     if (setgid (userInfo->pw_gid) < 0 || setuid (userInfo->pw_uid) < 0 ||
         setegid (userInfo->pw_gid) < 0 || seteuid (userInfo->pw_uid) < 0) { 

--nextPart3465386.BxDMAQtf7n
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

--nextPart3465386.BxDMAQtf7n--