mcelog/fix_setgroups_missing_call.patch

Index: mcelog-1.60/mcelog.c
===================================================================
--- mcelog-1.60.orig/mcelog.c	2018-09-24 15:15:35.668459814 +0200
+++ mcelog-1.60/mcelog.c	2018-09-24 15:15:41.648815524 +0200
@@ -37,6 +37,7 @@
 #include <assert.h>
 #include <signal.h>
 #include <pwd.h>
+#include <grp.h>
 #include <sys/wait.h>
 #include <fnmatch.h>
 #include "mcelog.h"
@@ -1247,6 +1248,14 @@ static void general_setup(void)
 
 static void drop_cred(void)
 {
+	/* When dropping privileges from root, the `setgroups` call will
+	 * remove any extraneous groups. If we don't call this, then
+	 * even though our uid has dropped, we may still have groups
+	 * that enable us to do super-user things. This will fail if we
+	 * aren't root, so don't bother checking the return value, this
+	 * is just done as an optimistic privilege dropping function.
+	 */
+	setgroups(0, NULL);
 	if (runcred.uid != -1U && runcred.gid == -1U) {
 		struct passwd *pw = getpwuid(runcred.uid);
 		if (pw)
Accepting request 637679 from home:trenn:branches:Base:System (by trenn@suse.de) - Update to version 1.60 (fate#326221): * Turn back rb_color field into unsigned long * trigger: add a sync argument for waiting trigger child process exit * page: trigger: add pre/post sync trigger when doing soft memory offline * fixed build errors for some lose code when merging code * transfer the page address to pre/post-sync-trigger scripts * mcelog: Fix "--ascii" parsing to cope with change in kernel output since v4.10 * Remove now unused local variable * Add scripts file to do MCA error code validation for a selected CPU model * Add license file * mcelog: Improve decoding for APEI reported errors OBS-URL: https://build.opensuse.org/request/show/637679 OBS-URL: https://build.opensuse.org/package/show/Base:System/mcelog?expand=0&rev=71 2018-09-24 15:47:13 +02:00			`Index: mcelog-1.60/mcelog.c`
Accepting request 282545 from home:trenn:branches:Base:System - Update to version 1.0.8 - Remove patch which got integrated mainline: 0001-Continue-without-dmi-when-no-SMBIOS-or-SMBIOS-0x0-in.patch - Fix possible security issue, build service complained about: missing-call-to-setgroups-before-setuid Add fix_setgroups_missing_call.patch OBS-URL: https://build.opensuse.org/request/show/282545 OBS-URL: https://build.opensuse.org/package/show/Base:System/mcelog?expand=0&rev=49 2015-01-23 13:50:02 +01:00			`===================================================================`
Accepting request 637679 from home:trenn:branches:Base:System (by trenn@suse.de) - Update to version 1.60 (fate#326221): * Turn back rb_color field into unsigned long * trigger: add a sync argument for waiting trigger child process exit * page: trigger: add pre/post sync trigger when doing soft memory offline * fixed build errors for some lose code when merging code * transfer the page address to pre/post-sync-trigger scripts * mcelog: Fix "--ascii" parsing to cope with change in kernel output since v4.10 * Remove now unused local variable * Add scripts file to do MCA error code validation for a selected CPU model * Add license file * mcelog: Improve decoding for APEI reported errors OBS-URL: https://build.opensuse.org/request/show/637679 OBS-URL: https://build.opensuse.org/package/show/Base:System/mcelog?expand=0&rev=71 2018-09-24 15:47:13 +02:00			`--- mcelog-1.60.orig/mcelog.c 2018-09-24 15:15:35.668459814 +0200`
			`+++ mcelog-1.60/mcelog.c 2018-09-24 15:15:41.648815524 +0200`
Accepting request 282545 from home:trenn:branches:Base:System - Update to version 1.0.8 - Remove patch which got integrated mainline: 0001-Continue-without-dmi-when-no-SMBIOS-or-SMBIOS-0x0-in.patch - Fix possible security issue, build service complained about: missing-call-to-setgroups-before-setuid Add fix_setgroups_missing_call.patch OBS-URL: https://build.opensuse.org/request/show/282545 OBS-URL: https://build.opensuse.org/package/show/Base:System/mcelog?expand=0&rev=49 2015-01-23 13:50:02 +01:00			`@@ -37,6 +37,7 @@`
			`#include <assert.h>`
			`#include <signal.h>`
			`#include <pwd.h>`
			`+#include <grp.h>`
			`#include <sys/wait.h>`
			`#include <fnmatch.h>`
			`#include "mcelog.h"`
Accepting request 637679 from home:trenn:branches:Base:System (by trenn@suse.de) - Update to version 1.60 (fate#326221): * Turn back rb_color field into unsigned long * trigger: add a sync argument for waiting trigger child process exit * page: trigger: add pre/post sync trigger when doing soft memory offline * fixed build errors for some lose code when merging code * transfer the page address to pre/post-sync-trigger scripts * mcelog: Fix "--ascii" parsing to cope with change in kernel output since v4.10 * Remove now unused local variable * Add scripts file to do MCA error code validation for a selected CPU model * Add license file * mcelog: Improve decoding for APEI reported errors OBS-URL: https://build.opensuse.org/request/show/637679 OBS-URL: https://build.opensuse.org/package/show/Base:System/mcelog?expand=0&rev=71 2018-09-24 15:47:13 +02:00			`@@ -1247,6 +1248,14 @@ static void general_setup(void)`
Accepting request 282545 from home:trenn:branches:Base:System - Update to version 1.0.8 - Remove patch which got integrated mainline: 0001-Continue-without-dmi-when-no-SMBIOS-or-SMBIOS-0x0-in.patch - Fix possible security issue, build service complained about: missing-call-to-setgroups-before-setuid Add fix_setgroups_missing_call.patch OBS-URL: https://build.opensuse.org/request/show/282545 OBS-URL: https://build.opensuse.org/package/show/Base:System/mcelog?expand=0&rev=49 2015-01-23 13:50:02 +01:00
			`static void drop_cred(void)`
			`{`
			+ /* When dropping privileges from root, the `setgroups` call will
			`+ * remove any extraneous groups. If we don't call this, then`
			`+ * even though our uid has dropped, we may still have groups`
			`+ * that enable us to do super-user things. This will fail if we`
			`+ * aren't root, so don't bother checking the return value, this`
			`+ * is just done as an optimistic privilege dropping function.`
			`+ */`
			`+ setgroups(0, NULL);`
			`if (runcred.uid != -1U && runcred.gid == -1U) {`
			`struct passwd *pw = getpwuid(runcred.uid);`
			`if (pw)`