Bugs item #425401, was opened at 2001-05-19 01:42 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=103152&aid=425401&group_id=3152
Category: Architecture: Server (nsd) Group: None Status: Open Resolution: None Priority: 5 Submitted By: Anchor Systems Pty Ltd (anchorsystems) >Assigned to: Kriston Rehberg (kriston) Summary: supplementary groups not set/cleared Initial Comment: nsd/nsmain.c does not drop/set supplementary groups before changing user ID. This can lead to a security breach. Patch attached. ---------------------------------------------------------------------- Comment By: Cynthia Kiser (ckiser) Date: 2001-08-08 14:41 Message: Logged In: YES user_id=292930 Think that changing user id is missing additional steps. I have AOLServer 3.2 + ad12 running as user nsadmin - but the umask for operations done by the server is not the 002 that is nsadmin's umask, but instead 022 like root. I tried setting umask by including it in the wrapper script I use to set Oracle environment variables: #!/bin/sh umask 002 . /etc/shell-mods.sh exec `dirname $0`/nsd $* And operatons like opening a file handle, writing a file, and closing the handle give me files with group write permission. nscp gives me a file without group write. In both cases, the group for the file is set correctly (is the group set by the -g flag, not root's group "other"). ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2001-07-19 16:52 Message: Logged In: NO Yes, all UNIX platforms are affected. ---------------------------------------------------------------------- Comment By: Kriston Rehberg (kriston) Date: 2001-07-19 07:49 Message: Logged In: YES user_id=16427 Which versions of Unix? All? ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=103152&aid=425401&group_id=3152
