Re: tar attempts to drop privileges for remote command but mishandles gr

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tar attempts to drop privileges for remote command but mishandles gr

From:	Sergey Poznyakoff
Subject:	Re: tar attempts to drop privileges for remote command but mishandles groups
Date:	Mon, 08 Feb 2021 17:38:50 +0200

Hi Ondrej,

> Tar does not attempt to initialize supplementary groups when dropping
> privileges.

Indeed, it does not.  However doing it the way you propose is of little
practical value, because the caller might as well set the USER variable
to any other user in order to obtain that user's privileges.  You can
easily test that.

> Also according to this 
> https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
> git should be reseted before uid.

While technically true, swapping them does litle harm, because
setgid (getgid ()) works well for ordinary (non-root) user.

Regards,
Sergey

[Prev in Thread]

Current Thread

[Next in Thread]

Re: tar attempts to drop privileges for remote command but mishandles groups, Ondrej Dubaj, 2021/02/05
- Re: tar attempts to drop privileges for remote command but mishandles groups, Sergey Poznyakoff <=
- Re: tar attempts to drop privileges for remote command but mishandles groups, Sergey Poznyakoff, 2021/02/08
  - Re: tar attempts to drop privileges for remote command but mishandles groups, Ondrej Dubaj, 2021/02/08

Prev by Date: Re: Duplicate symlinks lead to error in tar 1.33
Next by Date: Re: [PATCH] xattrs: fix capabilities root test
Previous by thread: Re: tar attempts to drop privileges for remote command but mishandles groups
Next by thread: Re: tar attempts to drop privileges for remote command but mishandles groups
Index(es):
- Date
- Thread