call setgroups before setgid

2025-04-12 15:17:14 +03:00 · 2014-03-30 17:28:00 +02:00 · 2014-03-30 17:28:00 +02:00 · 426797f9c0
commit 426797f9c0
parent 53550ff21e
2 changed files with 13 additions and 0 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+vNEXT: 
+	Call setgroups() before setgid() (fixes potential
+	privilege escalation).
+	(Lars Vogdt)
+
 v1.16:	11FEB2014
 	Probes made more resilient, to incoming data
 	containing NULLs. Also made them behave properly
--- a/common.c
+++ b/common.c
@ -6,6 +6,7 @@

 #define _GNU_SOURCE
 #include <stdarg.h>
+#include <grp.h>

 #include "common.h"
 #include "probe.h"
@ -578,6 +579,13 @@ void drop_privileges(const char* user_name)

    set_keepcaps(1);

+    /* remove extraneous groups in case we belong to several extra groups that
+     * may have unwanted rights. If non-root when calling setgroups(), it
+     * fails, which is fine because... we have no unwanted rights 
+     * (see POS36-C for security context)
+     * */
+    setgroups(0, NULL);
+
    res = setgid(pw->pw_gid);
    CHECK_RES_DIE(res, "setgid");
    res = setuid(pw->pw_uid);