[dev.icinga.com #6659] RPMLint security warning - missing-call-to-setgroups-before-setuid /usr/sbin/icinga2

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/6659

Created by theh on 2014-07-07 08:55:25 +00:00

Assignee: gbeutner
Status: Resolved (closed on 2014-07-11 12:27:15 +00:00)
Target Version: 2.0.2
Last Update: 2014-07-11 12:29:08 +00:00 (in Redmine)

Icinga Version: 2.0.0

---

I get a security related RPMLint warning when building Icinga 2.

icinga2-bin.x86_64: W: missing-call-to-setgroups-before-setuid /usr/sbin/icinga2
[ 418s] This executable is calling setuid and setgid without setgroups or initgroups.
[ 418s] There is a high probability this mean it didn't relinquish all groups, and
[ 418s] this would be a potential security issue to be fixed. Seek POS36-C on the web
[ 418s] for details about the problem.

I don't know the code that well so it would be great if someone could check if this warning is relevant. More information about this issue: https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges

Changesets

2014-07-11 12:26:21 +00:00 by gbeutner 4cc51f9

Call setgroups() before setgid/setuid

fixes #6659

[icinga-migration]

Updated by gbeutner on 2014-07-11 08:36:11 +00:00

• Target Version set to 2.0.2

[icinga-migration]

Updated by gbeutner on 2014-07-11 09:04:56 +00:00

• Estimated Hours set to 2

Required changes:

• Figure out whether we need setgroups/initgroups
• Add setgroups/initgroups call

[icinga-migration]

Updated by gbeutner on 2014-07-11 12:13:57 +00:00

• Assigned to set to gbeutner

[icinga-migration]

Updated by gbeutner on 2014-07-11 12:27:15 +00:00

• Status changed from New to Resolved
• Done % changed from 0 to 100

Applied in changeset 4cc51f9.