mcelog/fix_setgroups_missing_call.patch
Thomas Renninger a4f58851e2 Accepting request 282545 from home:trenn:branches:Base:System
- Update to version 1.0.8
- Remove patch which got integrated mainline:
  0001-Continue-without-dmi-when-no-SMBIOS-or-SMBIOS-0x0-in.patch
- Fix possible security issue, build service complained about:
  missing-call-to-setgroups-before-setuid
  Add fix_setgroups_missing_call.patch

OBS-URL: https://build.opensuse.org/request/show/282545
OBS-URL: https://build.opensuse.org/package/show/Base:System/mcelog?expand=0&rev=49
2015-01-23 12:50:02 +00:00

28 lines
969 B
Diff

Index: mcelog-1.0.8/mcelog.c
===================================================================
--- mcelog-1.0.8.orig/mcelog.c 2015-01-22 14:56:56.151710136 +0100
+++ mcelog-1.0.8/mcelog.c 2015-01-23 09:58:35.252799171 +0100
@@ -37,6 +37,7 @@
#include <assert.h>
#include <signal.h>
#include <pwd.h>
+#include <grp.h>
#include <sys/wait.h>
#include <fnmatch.h>
#include "mcelog.h"
@@ -1185,6 +1186,14 @@
static void drop_cred(void)
{
+ /* When dropping privileges from root, the `setgroups` call will
+ * remove any extraneous groups. If we don't call this, then
+ * even though our uid has dropped, we may still have groups
+ * that enable us to do super-user things. This will fail if we
+ * aren't root, so don't bother checking the return value, this
+ * is just done as an optimistic privilege dropping function.
+ */
+ setgroups(0, NULL);
if (runcred.uid != -1U && runcred.gid == -1U) {
struct passwd *pw = getpwuid(runcred.uid);
if (pw)