You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mesos.apache.org by "Benjamin Mahler (JIRA)" <ji...@apache.org> on 2013/10/04 01:04:43 UTC

[jira] [Commented] (MESOS-719) missing-call-to-setgroups

    [ https://issues.apache.org/jira/browse/MESOS-719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13785642#comment-13785642 ] 

Benjamin Mahler commented on MESOS-719:
---------------------------------------

Is it referring to os::su?

{code}
inline bool su(const std::string& user)
{
  passwd* passwd;
  if ((passwd = ::getpwnam(user.c_str())) == NULL) {
    PLOG(ERROR) << "Failed to get user information for '"
                << user << "', getpwnam";
    return false;
  }

  if (::setgid(passwd->pw_gid) < 0) {
    PLOG(ERROR) << "Failed to set group id, setgid";
    return false;
  }

  if (::setuid(passwd->pw_uid) < 0) {
    PLOG(ERROR) << "Failed to set user id, setuid";
    return false;
  }

  return true;
}
{code}

Is this non-compliant? It looks like setgid and setuid are done in the correct order.

> missing-call-to-setgroups
> -------------------------
>
>                 Key: MESOS-719
>                 URL: https://issues.apache.org/jira/browse/MESOS-719
>             Project: Mesos
>          Issue Type: Bug
>          Components: general
>    Affects Versions: 0.15.0
>            Reporter: Timothy St. Clair
>              Labels: newbie
>
> This traces into stout/os.hpp
> in vetting the code as part of fedora packaging, rpmlint outputs an error around priv-changing .
> mesos.x86_64: E: missing-call-to-setgroups /usr/lib64/libmesos-0.15.0.so.0.0.0
> https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges



--
This message was sent by Atlassian JIRA
(v6.1#6144)