I noted that the new version does this:
+ if (uid && setuid (uid) < 0) {
+ nih_error_raise_system ();
+ job_process_error_abort (fds[1],
JOB_PROCESS_ERROR_SETUID, 0);
+ }
+
+ if (pw->pw_gid && setgid (pw->pw_gid) < 0) {
+ nih_error_raise_system ();
+ job_process_error_abort (fds[1],
JOB_PROCESS_ERROR_SETGID, 0);
+ }
Does that actually work that way around? After setuid() you usually lose
the privilege of changing between arbitrary groups (CAP_SETGID). I
suppose it actually works if you switch to the user's primary group, but
I've seen it to fail in the past in daemons changing to a system user.
The usual approach is to change the group first, then the user. But the
result here would be an abort of the job, which is safe, so I don't
object to the change with my release hat on because of this.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/766206
Title:
user session support allows non-priv users to gain root privileges
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
