X2Go Bug report logs - #293
Use initgroups() to initialize group access list

version graph

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Orion Poplawski <orion@cora.nwra.com>

Date: Thu, 29 Aug 2013 17:18:02 UTC

Severity: normal

Tags: patch, pending

Fixed in version 2:3.5.0.21

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#293: Use initgroups() to initialize group access list
Reply-To: Orion Poplawski <orion@cora.nwra.com>, 293@bugs.x2go.org
Resent-From: Orion Poplawski <orion@cora.nwra.com>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Thu, 29 Aug 2013 17:18:02 +0000
Resent-Message-ID: <handler.293.B.137779633920783@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 293
X-X2Go-PR-Package: nx-libs
X-X2Go-PR-Keywords: patch
Received: via spool by submit@bugs.x2go.org id=B.137779633920783
          (code B); Thu, 29 Aug 2013 17:18:02 +0000
Received: (at submit) by bugs.x2go.org; 29 Aug 2013 17:12:19 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID,
	URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail.cora.nwra.com (mercury.cora.nwra.com [4.28.99.165])
	by ymir (Postfix) with ESMTPS id 5D1EE5DB1C
	for <submit@bugs.x2go.org>; Thu, 29 Aug 2013 19:12:17 +0200 (CEST)
Received: from [10.10.20.7] (barry.cora.nwra.com [10.10.20.7])
	(authenticated bits=0)
	by mail.cora.nwra.com (8.14.4/8.14.4) with ESMTP id r7THCEAM021436
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
	for <submit@bugs.x2go.org>; Thu, 29 Aug 2013 11:12:15 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=cora.nwra.com;
	s=default; t=1377796335;
	bh=A+w+KWoYcB1mIg1+NQNYM3VFOSlFjsBCwZSWwtBScxc=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type;
	b=ToWkLRC6YWnbq5k1wLXDE76vTjY2Bh9y2gGjA555R1qXYAo0fRioSZe6CR6YIFgA6
	 BBBVGJ0ziyV6SpNpttI2DzZbGjUbNge/NkedIICzL/Po0PxK+/U9LLv97d3LEE7bwY
	 cxyNh0pDC3YaYX2BRdflyJ/+JAVCyaj+6RCVy6/c=
Message-ID: <521F80EE.2010702@cora.nwra.com>
Date: Thu, 29 Aug 2013 11:12:14 -0600
From: Orion Poplawski <orion@cora.nwra.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8
MIME-Version: 1.0
To: submit@bugs.x2go.org
Content-Type: multipart/mixed;
 boundary="------------030909060902020301050909"
[Message part 1 (text/plain, inline)]
Package: nx-libs
Tags: patch

The Fedora review of nx-libs caught the following rpmlint issue:

This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and this
would be a potential security issue to be fixed. Seek POS36-C on the web for
details about the problem.

Ref POS36-C:

https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges 


This patch adds initgroups() calls to code to initialize the supplemental 
group list.

I'm done some minimal testing (can connect to a session with client and server 
running this code), but I'm note sure how much that exercised it.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion@nwra.com
Boulder, CO 80301                   http://www.nwra.com
[nx-libs-initgroups.patch (text/x-patch, attachment)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sun Nov 24 00:13:13 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.