[X2Go-Dev] setuid/setgid in libXcomp
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Thu Aug 29 09:44:19 CEST 2013
Hi Orion,
On Do 29 Aug 2013 01:14:39 CEST Orion Poplawski wrote:
> On 07/25/2013 02:54 PM, Mike Gabriel wrote:
>> Hi Orion,
>>
>> On Do 25 Jul 2013 22:30:52 CEST Orion Poplawski wrote:
>>
>>> On 07/14/2013 03:33 AM, Moritz Strübe wrote:
>>>> Hey,
>>>>
>>>> this is a bit of guesswork, but,
>>>> * getgit get the _real_ real gid
>>>> * setgit sets the _effective_ gid
>>>> Thus you reset the effective s/gid.
>>>>
>>>> Morty
>>
>>> But why does it need to call this? Isn't everything running as the user
>>> already?
>>>
>>
>> Everything in NX runs under the user who launches the X2Go session. IMHO
>> resetting the effective GID prevents us from setgid file permission
>> manipulations, so that the effective group ID always is the
>> primary/real group
>> ID of the current user that is executing the NX binary.
>>
>> Greets,
>> Mike
>
> Some more info:
>
> This executable is calling setuid and setgid without setgroups or initgroups.
> There is a high probability this mean it didn't relinquish all
> groups, and this
> would be a potential security issue to be fixed. Seek POS36-C on the web for
> details about the problem.
>
> Ref POS36-C:
>
> https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
I just looked at the code again. The order (setgid, then setuid) is ok
in the NX code. Will you work on the setgroups/initgroups thing?
We at least need a bug report against nx-libs. Can you please file
that against X2Go BTS?
Thanks,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130829/18e21fd4/attachment.pgp>
More information about the x2go-dev
mailing list