diff options
| author | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2025-07-18 23:14:40 +0200 |
|---|---|---|
| committer | Aurelien Jarno <aurelien@aurel32.net> | 2025-08-06 11:56:44 +0200 |
| commit | c5476b7907d01207ede6bf57b26cef151b601f35 (patch) | |
| tree | 3c18a595b17788bfa177412dfb3f2bc0b56d293d /support/support_capture_subprocess.c | |
| parent | e5754399b542640f3f69c5e2513c57a307656032 (diff) | |
| download | glibc-release/2.42/master.zip glibc-release/2.42/master.tar.gz glibc-release/2.42/master.tar.bz2 | |
hurd: support: Fix running SGID testsrelease/2.42/master
Secure mode is enabled only if SGID actually provides a new privilege,
so we have to drop it before gaining it again.
Fixes commit 3a3fb2ed83f79100c116c824454095ecfb335ad7
("Fix error reporting (false negatives) in SGID tests")
(cherry picked from commit ad4589e2d834c80a042a8c354fb00cf33e06802c)
Diffstat (limited to 'support/support_capture_subprocess.c')
| -rw-r--r-- | support/support_capture_subprocess.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c index b4e4bf9..c89e65b 100644 --- a/support/support_capture_subprocess.c +++ b/support/support_capture_subprocess.c @@ -133,6 +133,27 @@ copy_and_spawn_sgid (const char *child_id, gid_t gid) if (chmod (execname, 02750) != 0) FAIL_UNSUPPORTED ("cannot make \"%s\" SGID: %m ", execname); + /* Now we can drop the privilege of that group. */ + const int count = 64; + gid_t groups[count]; + int ngroups = getgroups(count, groups); + + if (ngroups < 0) + FAIL_UNSUPPORTED ("Could not get group list again for user %jd\n", + (intmax_t) getuid ()); + + int n = 0; + for (int i = 0; i < ngroups; i++) + { + if (groups[i] != gid) + { + if (n != i) + groups[n] = groups[i]; + n++; + } + } + setgroups (n, groups); + /* We have the binary, now spawn the subprocess. Avoid using support_subprogram because we only want the program exit status, not the contents. */ |