[X2Go-Dev] Bug#293: Use initgroups() to initialize group access list
Orion Poplawski
orion at cora.nwra.com
Thu Aug 29 19:12:14 CEST 2013
Package: nx-libs
Tags: patch
The Fedora review of nx-libs caught the following rpmlint issue:
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and this
would be a potential security issue to be fixed. Seek POS36-C on the web for
details about the problem.
Ref POS36-C:
https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
This patch adds initgroups() calls to code to initialize the supplemental
group list.
I'm done some minimal testing (can connect to a session with client and server
running this code), but I'm note sure how much that exercised it.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nx-libs-initgroups.patch
Type: text/x-patch
Size: 1402 bytes
Desc: not available
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130829/d8134c42/attachment.bin>
More information about the x2go-dev
mailing list