search

jaromil / hasciicam

(h)ascii for the masses! html refreshed ascii video cam
GNU General Public License v2.0
87 stars 9 forks source link

POS36-C #8

Closed alcir closed 5 years ago

alcir commented 5 years ago

I'm not a developer/programmer. But this is the power of free software, meh. So, running rpmlint versus the RPM package I created, it complaints about: POS36-C

hasciicam.x86_64: E: missing-call-to-setgroups-before-setuid /usr/bin/hasciicam
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this means it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.

As said I'm not a C programmer or so, but using these lines:

637   setgroups(0, NULL);
638   setgid(gid);
649   setuid(uid);

instead of

637   setuid (uid);
638   setgid (gid);

hasciicam still works 😅 and rpmlint is happy.

jaromil commented 5 years ago

Thanks! it seems sane to use setgroups and drop all ancillary groups esp. since we permanently drop the privileges there.

jaromil commented 5 years ago

fixed in 12200d134b348a47e613efb2944e825697206cd7