The rpmlint utility indicates an issue with openpgm's use of setuid().
Quoting from "rpmlint -I missing-call-to-setgroups-before-setuid"
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this means it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.
I'm attaching a patch against SVN trunk (r1508 at the time of writing)
For a commit log, you can use the following text:
When dropping privileges from root, the `setgroups` call will remove any
extraneous groups. If we don't call this, then even though our uid has dropped,
we may still have groups that enable us to do super-user things.
Original issue reported on code.google.com by kdre...@redhat.com on 2 Mar 2015 at 10:13
Original issue reported on code.google.com by
kdre...@redhat.comon 2 Mar 2015 at 10:13Attachments: