From: Cyril Hrubis <chrubis@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH] read_all: Drop privileges
Date: Fri, 18 May 2018 19:09:33 +0200 [thread overview]
Message-ID: <20180518170933.GA5094@rei> (raw)
In-Reply-To: <5AFD5780.7040107@cn.fujitsu.com>
Hi!
> Sorry, it seems a bug in open(2) instead of watchdog.
Looks like the list of supplementary groups is at fault here.
On my system I do have in /etc/group:
root:x:0:root
Which means that among other groups root has root suplementary group set
when logged in.
Which means that even when a program sets it's user and group ids to
nobody the root still stays in the list of supplementary groups, which
then is matched for files with root group ownership and hence we can
stil open the file.
Adding setgroups(0, NULL); to switch_privs() in your program "fixes" the
behavior and we get EPERM as expected. And I guess that we should patch
the read_all to do the same, which should fix your problem. I will apply
the fix.
--
Cyril Hrubis
chrubis@suse.cz
next prev parent reply other threads:[~2018-05-18 17:09 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-15 9:51 [LTP] [PATCH] read_all: Drop privileges Richard Palethorpe
2018-05-15 10:30 ` Cyril Hrubis
2018-05-15 10:55 ` Richard Palethorpe
2018-05-15 10:57 ` Cyril Hrubis
2018-05-15 11:18 ` Punit Agrawal
2018-05-15 12:34 ` Richard Palethorpe
2018-05-15 11:23 ` Punit Agrawal
2018-05-16 9:39 ` Xiao Yang
2018-05-16 11:44 ` Cyril Hrubis
2018-05-17 10:20 ` Xiao Yang
2018-05-18 17:09 ` Cyril Hrubis [this message]
2018-05-19 9:04 ` Xiao Yang
2018-05-19 9:22 ` [LTP] [PATCH] fs/read_all: Clear suplementary groups before droping privileges Xiao Yang
2018-05-22 10:26 ` Richard Palethorpe
2018-05-22 10:56 ` Cyril Hrubis
2018-05-22 10:54 ` Cyril Hrubis
2018-05-15 11:00 ` [LTP] [PATCH v2] read_all: Drop privileges Richard Palethorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180518170933.GA5094@rei \
--to=chrubis@suse.cz \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox