nsenter: fix set{gid,uid} order,drop supplementary groups

.. always, always setgid() before setuid()! Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1061751 Signed-off-by: Karel Zak <kzak@redhat.com>
author: Karel Zak 2014-02-06 14:14:50 +0100
committer: Karel Zak 2014-02-06 14:14:50 +0100
commit: 99d7e174119e8717efae0f0fec5f7dec14492fb3 (patch)
tree: ef37247d46d6ee71459259a16c25ddfde78b0bc7 /sys-utils/nsenter.c
parent: dmesg: -w output not line-buffered (diff)
download: kernel-qcow2-util-linux-99d7e174119e8717efae0f0fec5f7dec14492fb3.tar.gz
kernel-qcow2-util-linux-99d7e174119e8717efae0f0fec5f7dec14492fb3.tar.xz
kernel-qcow2-util-linux-99d7e174119e8717efae0f0fec5f7dec14492fb3.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/sys-utils/nsenter.c b/sys-utils/nsenter.c
index 13f729e53..dfb1a3b51 100644
--- a/sys-utils/nsenter.c
+++ b/sys-utils/nsenter.c
@@ -28,6 +28,7 @@
 #include <assert.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <grp.h>
 
 #include "strutils.h"
 #include "nls.h"
@@ -328,10 +329,12 @@ int main(int argc, char *argv[])
 		continue_as_child();
 
 	if (namespaces & CLONE_NEWUSER) {
-		if (setuid(uid) < 0)
-			err(EXIT_FAILURE, _("setuid failed"));
+		if (setgroups(0, NULL))		/* drop supplementary groups */
+			err(EXIT_FAILURE, _("setgroups failed"));
 		if (setgid(gid) < 0)
 			err(EXIT_FAILURE, _("setgid failed"));
+		if (setuid(uid) < 0)
+			err(EXIT_FAILURE, _("setuid failed"));
 	}
 
 	if (optind < argc) {
author	Karel Zak	2014-02-06 14:14:50 +0100
committer	Karel Zak	2014-02-06 14:14:50 +0100
commit	99d7e174119e8717efae0f0fec5f7dec14492fb3 (patch)
tree	ef37247d46d6ee71459259a16c25ddfde78b0bc7 /sys-utils/nsenter.c
parent	dmesg: -w output not line-buffered (diff)
download	kernel-qcow2-util-linux-99d7e174119e8717efae0f0fec5f7dec14492fb3.tar.gz kernel-qcow2-util-linux-99d7e174119e8717efae0f0fec5f7dec14492fb3.tar.xz kernel-qcow2-util-linux-99d7e174119e8717efae0f0fec5f7dec14492fb3.zip