From 99d7e174119e8717efae0f0fec5f7dec14492fb3 Mon Sep 17 00:00:00 2001
From: Karel Zak
Date: Thu, 6 Feb 2014 14:14:50 +0100
Subject: nsenter: fix set{gid,uid} order,drop supplementary groups

.. always, always setgid() before setuid()!

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1061751
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 sys-utils/nsenter.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'sys-utils/nsenter.c')

diff --git a/sys-utils/nsenter.c b/sys-utils/nsenter.c
index 13f729e53..dfb1a3b51 100644
--- a/sys-utils/nsenter.c
+++ b/sys-utils/nsenter.c
@@ -28,6 +28,7 @@
 #include <assert.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <grp.h>
 
 #include "strutils.h"
 #include "nls.h"
@@ -328,10 +329,12 @@ int main(int argc, char *argv[])
 		continue_as_child();
 
 	if (namespaces & CLONE_NEWUSER) {
-		if (setuid(uid) < 0)
-			err(EXIT_FAILURE, _("setuid failed"));
+		if (setgroups(0, NULL))		/* drop supplementary groups */
+			err(EXIT_FAILURE, _("setgroups failed"));
 		if (setgid(gid) < 0)
 			err(EXIT_FAILURE, _("setgid failed"));
+		if (setuid(uid) < 0)
+			err(EXIT_FAILURE, _("setuid failed"));
 	}
 
 	if (optind < argc) {
-- 
cgit v1.2.3-55-g7522