[ 5s] postsrsd.x86_64: E: missing-call-to-setgroups-before-setuid /usr/sbin/postsrsd
[ 5s] This executable is calling setuid and setgid without setgroups or initgroups.
[ 5s] This means it didn't relinquish all groups, and this would be a potential
[ 5s] security issue.
Supplementary groups are kept across setgid and setuid calls, so drop_privileges may not be completely dropping all privileges provided suitable starting conditions. Consider:
### ls -al /etc/at.deny
-rw-r----- 1 root root 62 Aug 31 14:16 /etc/at.deny
### cat x.cpp
#include <unistd.h>
#include <stdio.h>
int main()
{
setgid(65534);
setuid(65534);
if (access("/etc/at.deny", R_OK) == 0)
printf("Can still read\n");
}
### ./a.out
Can still read
rpmlint has found an issue with postsrsd 2.0.1:
Supplementary groups are kept across setgid and setuid calls, so
drop_privilegesmay not be completely dropping all privileges provided suitable starting conditions. Consider: