[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: pam-kwallet - call setgroups before calling setuid/setgid
From: Jan Grulich <jgrulich () redhat ! com>
Date: 2014-04-30 14:21:52
Message-ID: 4744767.llr2mP1CaE () localhost ! localdomain
[Download RAW message or body]
Hi,
here is a simple patch taken from libuv [1] or sslh [2]. I've found this
problem when I was doing package review and rpmlint was yelling on me.
Here is the original rpmlint error:
error E: missing-call-to-setgroups /lib/security/pam_kwallet.so
I was trying to find what does it mean and found the solution. I've also tested
it with rpmlint again and no error shows up.
[1] http://goo.gl/lCfFnV
[2] http://goo.gl/auW6UL
Cheers,
Jan
--
Jan Grulich
Red Hat Czech, s.r.o
jgrulich@redhat.com
["pam-kwallet.patch" (pam-kwallet.patch)]
diff --git pam_kwallet.c pam_kwallet.c
index ed0a89f..1873aae 100644
--- pam_kwallet.c
+++ pam_kwallet.c
@@ -22,6 +22,7 @@
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
+#include <grp.h>
#define PAM_SM_PASSWORD
#define PAM_SM_SESSION
@@ -283,6 +284,15 @@ static void execute_kwallet(pam_handle_t *pamh, struct passwd *userInfo, int toW
//This is the side of the pipe PAM will send the hash to
close (toWalletPipe[1]);
+ /* When dropping privileges from root, the `setgroups` call will
+ * remove any extraneous groups. If we don't call this, then
+ * even though our uid has dropped, we may still have groups
+ * that enable us to do super-user things. This will fail if we
+ * aren't root, so don't bother checking the return value, this
+ * is just done as an optimistic privilege dropping function.
+ */
+ setgroups(0, NULL);
+
//Change to the user in case we are not it yet
if (setgid (userInfo->pw_gid) < 0 || setuid (userInfo->pw_uid) < 0 ||
setegid (userInfo->pw_gid) < 0 || seteuid (userInfo->pw_uid) < 0) {
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic