Dario Abatianni changed bug 1095670
What Removed Added
Flags   needinfo?(werner@suse.com)

Comment # 18 on bug 1095670 from 
Thanks for the response! My approach is very similar to comment #7 and looks
like this, the output is the same before the patch and after the patch:

--------------------------

# version numbers after installing
# ReviewRequestID: SUSE:Maintenance:7803:171261
# Repository: http://download.suse.de/ibs/SUSE:/Maintenance:/7803/

bragi:~ # rpm -q bash
bash-4.4-9.5.2.x86_64
bragi:~ # bash --version
GNU bash, version 4.4.23(1)-release (x86_64-suse-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

--------------------------

# create the helper shell script and make it executable:

bragi:~ # cat > /tmp/reproducer_1095670.sh <<EOF
#!/bin/bash
whoami
id
EOF
bragi:~ # chmod +x /tmp/reproducer_1095670.sh

# create the reproducer, but don'T set it to SUID yet:

bragi:~ # cat > /tmp/reproducer_1095670.c << EOF
#define _GNU_SOURCE
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
    char *path = getenv("PATH");
    char  pathenv[strlen(path) + sizeof("PATH=")];
    sprintf(pathenv, "PATH=%s", path);
    char *envp[] = {pathenv, NULL};
    char *tests[] = {"/tmp/reproducer_1095670.sh", NULL};
    execvpe(tests[0], tests, envp);
}
EOF
bragi:~ # gcc -o /tmp/reproducer_1095670 /tmp/reproducer_1095670.c

# switch to the user account (same output when I log in via ssh)

bragi:~ # su - dabatianni                                   
dabatianni@bragi:~> /tmp/reproducer_1095670
dabatianni
uid=16676(dabatianni) gid=50(suse) groups=50(suse),22224(vpn2)

# At this point the extra group vpn2 is still there

dabatianni@s390vsl083:~> logout

# SUID the reproducer and try again:

bragi:~ # chmod +s /tmp/reproducer_1095670

# switch to the user account (same output when I log in via ssh)

bragi:~ # su - dabatianni                                   
dabatianni@bragi:~> /tmp/reproducer_1095670
dabatianni
uid=16676(dabatianni) gid=50(suse) groups=50(suse)

# after SUIDing the binary the extra group vpn2 is gone when using the
# reproducer, but it's still there when regularly running id:

dabatianni@bragi:~> id
uid=16676(dabatianni) gid=50(suse) groups=50(suse),22224(vpn2)

--------------------------

Please let me know if you need any more information or if I can help in any
other way! Thanks!

You are receiving this mail because: