From 93a04de93e55c9344317fe782028214113359829 Mon Sep 17 00:00:00 2001 From: Zrubi Date: Thu, 14 Jun 2018 10:35:03 +0200 Subject: [PATCH] added setgroups before setuid #50 --- base.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/base.c b/base.c index 1dfe98fc..fb1df693 100644 --- a/base.c +++ b/base.c @@ -468,6 +468,11 @@ static int base_init() } if (instance.user) { + /* This executable is calling setuid and setgid without setgroups or initgroups. + * There is a high probability this mean it didn't relinquish all groups, and + * this would be a potential security issue to be fixed. Seek POS36-C on the web + * for details about the problem. */ + setgroups(0, NULL); if (setuid(uid) < 0) { log_errno(LOG_ERR, "setuid(%i)", uid); goto fail;