Mailinglist Archive: opensuse (1352 mails)

< Previous Next >
[opensuse] Re: Problem with suid pgms on Leap-15.0
Mark Hounschell wrote:
On 06/04/2018 09:27 AM, L A Walsh wrote:

To be clear, and I have tested this, I am not loosing my group memberships when I start the suid pgm or during its execution. They are simply not being passed to an exec'd external entity.
----
That's not exactly clear to me.

FWIW, I get annoyed at programs that mess with GID-based
access. Groups are perfect for giving access to multiple accounts
owned by the same person, among other things...


1) Let me repeat that back -- a program running as root (the suid pgm), execs another program and the groups disappear?
OR) do you mean only execution of bash scripts?

2) You say you used to do the exact same thing under 13.2? Using
bash-4.2 and it worked?, but now under Leap-15 and bash-4.???
it doesn't work?

3) at what point in executing 'pgm+<whatever>', does the 'job' stop
being 'root' -- or is it your belief that it stays root throughout
execution until pgm terminates?

In the main program, not the example I provided, I fork/exec/wait. The main process still has my group memberships after that. They just don't make it into the exec'd pgm/script.
---
What is 'pgm'? Is it a binary or some sort of script?
How is the main-process run? Is it setuid, or do you use a program like 'sudo', 'su', or 'runas' or ???

How about the main process? What type of program is it?

In the code I quoted, it looked like it was when resetting
groups before it dropped root -- that's why I'm asking if it keeps
root while executing everything, or if it drops it at some point, or what, since it sounded like you were saying the groups were dropped
when you became root -- but with *this* note, it sounds like that's
not the case either, but more in line with a fork or exec?

I had some other Q's, but had a phone call come in that caused a stack overflow in my brain....oh well.

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups