[Bug 1095670] New: Problem with suid pgms on Leap-15.0

http://bugzilla.suse.com/show_bug.cgi?id=1095670 Bug ID: 1095670 Summary: Problem with suid pgms on Leap-15.0 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: dmarkh@cfl.rr.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I am upgrading an older SuSE-13.2 box to Leap. I have done a fresh Leap-15.0 install and ported over the source code that we ran on the 13.2 box. It builds fine but I am having an issue. The program is/has to be an suid pgm. It also uses fork/execvpe/wait to execute some external scripts. And that is where my problem lies. The user is a member of several groups but these group memberships seem to disappear when these external scripts are executed. For instance the user is a member of the cdrom group so he can eject and work with a DVD. I have created a simple example script and source for a pgm that execvpe's that script which shows my problem. test.sh script: #!/bin/sh whoami id test.c pgm source: #define _GNU_SOURCE #include #include #include #include int main() { char *path = getenv("PATH"); char pathenv[strlen(path) + sizeof("PATH=")]; sprintf(pathenv, "PATH=%s", path); char *envp[] = {pathenv, NULL}; char *tests[] = {"./test.sh", NULL}; execvpe(tests[0], tests, envp); } #cc test.c #/a.out markh uid=5076(markh) gid=100(users) groups=100(users),19(floppy),200(lcrs),484(tape),485(lp),488(disk),489(dialout),490(cdrom) Then as root: #chown root ./a.out #chgrp root ./a.out #chmod +s ./a.out Then as user #./a.out markh uid=5076(markh) gid=100(users) groups=100(users) Once the pgm is owned by root and suid, I lose all my group memberships for some unknown reason. It is not proper to me. This all works fine on 13.2 but does not on Leap 15 or Leap 42.3. Is there some security setting somewhere that broke this? -- You are receiving this mail because: You are on the CC list for the bug.