You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When building rpm packages for openSUSE, rpmlint prints the following complaint:
[ 130s] xrootd-fuse.x86_64: E: missing-call-to-setgroups-before-setuid /usr/bin/xrootdfs
[ 130s] xrootd-libs.x86_64: E: missing-call-to-setgroups-before-setuid /usr/lib64/libXrdUtils.so.3.0.0
[ 130s] xrootd-server.x86_64: E: missing-call-to-setgroups-before-setuid /usr/bin/cmsd
[ 130s] xrootd-server.x86_64: E: missing-call-to-setgroups-before-setuid /usr/bin/xrootd
[ 130s] This executable is calling setuid and setgid without setgroups or initgroups.
[ 130s] This means it didn't relinquish all groups, and this would be a potential
[ 130s] security issue.
I looked at this code and it would appear to be a false warning. First, setgroups is never called as it does not need to be called (note the example link also never calls setgroups). The only requirement is that setgid is to be called before setuid and the code does that. So, is it the case he compiler only checks for setgroups and not setgid? I sure looks that way.
If you are sure this is not necessary in this case, please let me know and we will suppress this false-positive warning for our builds. Thanks for looking into this.
Indeed, this particular use of getgid() and setuid(0 specifically is used to temporarily change to the privileges afforded to a client logging in using a particular username and password (i.e. secpwd security). As such, we do not want to complete destroy the existing ancillary groups afforded to the server as they would be extremely difficult to recreate. See https://security.stackexchange.com/questions/122141/always-setgroups-before-setuid
So, I am closing this as "not an error in the context used".. However, thank you for bringing this to our attention as it's aways good to review potential security issues.
When building rpm packages for openSUSE, rpmlint prints the following complaint:
I am not very conversant with particulars about setuid usage myself, but here is some documentation that may help:
https://wiki.sei.cmu.edu/confluence/plugins/servlet/mobile?contentId=87152295#content/view/87152295
The text was updated successfully, but these errors were encountered: