Rpmlint: missing-call-to-setgroups-before-setuid

alciregi · September 10, 2019, 8:43pm

I created an RPM package. It seems Ok.
But running rpmlint I get this error:

hasciicam.x86_64: E: missing-call-to-setgroups-before-setuid /usr/bin/hasciicam
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this means it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.

In the source code there are these two lines:

setuid (uid);
setgid (gid);

Should they be reversed?

alciregi · September 10, 2019, 10:39pm

It’s not so simple, eh?

fweimer · September 11, 2019, 6:34am

It depends whether this is about giving up or gaining privileges. For giving up privileges, setuid should come last.

In all cases, you need proper error checking, handle supplementary groups, and scrub other parts of the process state (environment variables, umask, file descriptors, etc.).

Topic		Replies	Views
Persistent error with rpm-ostree Project Discussion silverblue-team	1	476	August 3, 2022
Group wheel rpm Project Discussion workstation-wg	3	273	September 12, 2020
`dnf install bind bind-utils` fails to create user/group `named` Ask Fedora	13	13341	December 18, 2023
Rpm-ostree permissions lost after adding kerberos packages Project Discussion silverblue-team	1	504	February 11, 2021
SELinux issue sometimes when installing packages using DNF Ask Fedora cinnamon , selinux	3	895	December 12, 2021

Rpmlint: missing-call-to-setgroups-before-setuid

Related Topics