nbd/0001_fix_setgroup.patch

From 0cd9e3ba2a0f54d930d813bfde9ff9d57a12d9ed Mon Sep 17 00:00:00 2001
From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Date: Tue, 24 Jul 2018 15:59:39 -0300
Subject: [PATCH] server: clean supplementary groups when setuid
Upstream: merged
References: https://github.com/NetworkBlockDevice/nbd/commit/0cd9e3ba2a0f54d930d813bfde9ff9d57a12d9ed
References: gh#NetworkBlockDevice/nbd#79
References: https://github.com/NetworkBlockDevice/nbd/pull/79 

When nbd-server drops privileges, it was leaving supplementary
groups untouched. As nbd-server was normally dropping from root,
nbd-server kept membership to root supplementary groups.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
---
 nbd-server.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nbd-server.c b/nbd-server.c
index 1d1f4c8d..b0720ea1 100644
--- a/nbd-server.c
+++ b/nbd-server.c
@@ -3470,6 +3470,7 @@ void dousers(const gchar *const username, const gchar *const groupname) {
 			str = g_strdup_printf("Invalid user name: %s", username);
 			err(str);
 		}
+		setgroups(0, NULL);
 		if(setuid(pw->pw_uid)<0) {
 			err("Could not set UID: %m");
 		}
Accepting request 627387 from home:luizluca:branches:network:utilities here we go again: - Add firewalld service file - Fix some rpmlint warnings: * 0001_fix_setgroup.patch (gh#NetworkBlockDevice/nbd#79) * Workaround macro-in-comment (rpmlint bug) OBS-URL: https://build.opensuse.org/request/show/627387 OBS-URL: https://build.opensuse.org/package/show/network:utilities/nbd?expand=0&rev=58 2018-08-13 10:48:32 +02:00			`From 0cd9e3ba2a0f54d930d813bfde9ff9d57a12d9ed Mon Sep 17 00:00:00 2001`
			`From: Luiz Angelo Daros de Luca <luizluca@gmail.com>`
			`Date: Tue, 24 Jul 2018 15:59:39 -0300`
			`Subject: [PATCH] server: clean supplementary groups when setuid`
			`Upstream: merged`
			`References: https://github.com/NetworkBlockDevice/nbd/commit/0cd9e3ba2a0f54d930d813bfde9ff9d57a12d9ed`
			`References: gh#NetworkBlockDevice/nbd#79`
			`References: https://github.com/NetworkBlockDevice/nbd/pull/79`

			`When nbd-server drops privileges, it was leaving supplementary`
			`groups untouched. As nbd-server was normally dropping from root,`
			`nbd-server kept membership to root supplementary groups.`

			`Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>`
			`---`
			`nbd-server.c \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/nbd-server.c b/nbd-server.c`
			`index 1d1f4c8d..b0720ea1 100644`
			`--- a/nbd-server.c`
			`+++ b/nbd-server.c`
			`@@ -3470,6 +3470,7 @@ void dousers(const gchar const username, const gchar const groupname) {`
			`str = g_strdup_printf("Invalid user name: %s", username);`
			`err(str);`
			`}`
			`+ setgroups(0, NULL);`
			`if(setuid(pw->pw_uid)<0) {`
			`err("Could not set UID: %m");`
			`}`