diff options
| author | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2025-07-18 23:14:40 +0200 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2025-08-03 23:59:55 +0200 |
| commit | ad4589e2d834c80a042a8c354fb00cf33e06802c (patch) | |
| tree | e0666d401943a47994161edc9d0007f96dd8d6c6 | |
| parent | e1f03adef9f52c5c93d4e75295de201cbdc1b793 (diff) | |
| download | glibc-ad4589e2d834c80a042a8c354fb00cf33e06802c.zip glibc-ad4589e2d834c80a042a8c354fb00cf33e06802c.tar.gz glibc-ad4589e2d834c80a042a8c354fb00cf33e06802c.tar.bz2 | |
hurd: support: Fix running SGID tests
Secure mode is enabled only if SGID actually provides a new privilege,
so we have to drop it before gaining it again.
Fixes commit 3a3fb2ed83f79100c116c824454095ecfb335ad7
("Fix error reporting (false negatives) in SGID tests")
| -rw-r--r-- | support/support_capture_subprocess.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c index b4e4bf9..c89e65b 100644 --- a/support/support_capture_subprocess.c +++ b/support/support_capture_subprocess.c @@ -133,6 +133,27 @@ copy_and_spawn_sgid (const char *child_id, gid_t gid) if (chmod (execname, 02750) != 0) FAIL_UNSUPPORTED ("cannot make \"%s\" SGID: %m ", execname); + /* Now we can drop the privilege of that group. */ + const int count = 64; + gid_t groups[count]; + int ngroups = getgroups(count, groups); + + if (ngroups < 0) + FAIL_UNSUPPORTED ("Could not get group list again for user %jd\n", + (intmax_t) getuid ()); + + int n = 0; + for (int i = 0; i < ngroups; i++) + { + if (groups[i] != gid) + { + if (n != i) + groups[n] = groups[i]; + n++; + } + } + setgroups (n, groups); + /* We have the binary, now spawn the subprocess. Avoid using support_subprogram because we only want the program exit status, not the contents. */ |