[igt-dev] [PATCH i-g-t 2/3] lib/aux: Call setgroups() in igt_drop_root() before setgid()

Daniel Vetter daniel at ffwll.ch
Thu May 9 08:19:09 UTC 2019 

On Wed, May 08, 2019 at 04:15:11PM -0400, Lyude wrote:
> From: Lyude Paul <lyude at redhat.com>
> 
> While igt isn't really security sensitive, forgetting to call
> setgroups() before calling setgid() causes rpmlint on Fedora to
> complain:
> 
>   igt-gpu-tools.x86_64: E: missing-call-to-setgroups-before-setuid
>   /usr/lib64/libigt.so.0
>   ...
>   missing-call-to-setgroups-before-setuid:
>   This executable is calling setuid and setgid without setgroups or
>   initgroups. There is a high probability this means it didn't relinquish
>   all groups, and this would be a potential security issue to be fixed.
>   Seek POS36-C on the web for details about the problem.
> 
> Since it's likely other package maintainers for other distros will have
> to deal with similar issues eventually, and I can't see any harm in it,
> let's do the right thing and call setgroups() first.

Yeah igt is more a pile of exploits really :-)

On the series: Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> 
> Signed-off-by: Lyude Paul <lyude at redhat.com>
> ---
>  lib/igt_aux.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/lib/igt_aux.c b/lib/igt_aux.c
> index caed1fed..578f8579 100644
> --- a/lib/igt_aux.c
> +++ b/lib/igt_aux.c
> @@ -49,6 +49,7 @@
>  #include <sys/utsname.h>
>  #include <termios.h>
>  #include <assert.h>
> +#include <grp.h>
>  
>  #include <proc/readproc.h>
>  #include <libudev.h>
> @@ -959,9 +960,11 @@ void igt_drop_root(void)
>  {
>  	igt_assert_eq(getuid(), 0);
>  
> +	igt_assert_eq(setgroups(0, NULL), 0);
>  	igt_assert_eq(setgid(2), 0);
>  	igt_assert_eq(setuid(2), 0);
>  
> +	igt_assert_eq(getgroups(0, NULL), 0);
>  	igt_assert_eq(getgid(), 2);
>  	igt_assert_eq(getuid(), 2);
>  }
> -- 
> 2.20.1
> 
> _______________________________________________
> igt-dev mailing list
> igt-dev at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/igt-dev

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

More information about the igt-dev mailing list