Hi Orion, On Do 29 Aug 2013 01:14:39 CEST Orion Poplawski wrote:
On 07/25/2013 02:54 PM, Mike Gabriel wrote:Hi Orion, On Do 25 Jul 2013 22:30:52 CEST Orion Poplawski wrote:On 07/14/2013 03:33 AM, Moritz Strübe wrote:Hey, this is a bit of guesswork, but, * getgit get the _real_ real gid * setgit sets the _effective_ gid Thus you reset the effective s/gid. MortyBut why does it need to call this? Isn't everything running as the user already?Everything in NX runs under the user who launches the X2Go session. IMHO resetting the effective GID prevents us from setgid file permissionmanipulations, so that the effective group ID always is the primary/real groupID of the current user that is executing the NX binary. Greets, MikeSome more info: This executable is calling setuid and setgid without setgroups or initgroups.There is a high probability this mean it didn't relinquish all groups, and thiswould be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem. Ref POS36-C: https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
I just looked at the code again. The order (setgid, then setuid) is ok in the NX code. Will you work on the setgroups/initgroups thing?
We at least need a bug report against nx-libs. Can you please file that against X2Go BTS?
Thanks, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
pgpFWl8eAR0mc.pgp
Description: Digitale PGP-Unterschrift
_______________________________________________ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
