nsenter: fix set{gid,uid} order,drop supplementary groups

.. always, always setgid() before setuid()!

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1061751
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/sys-utils/nsenter.c b/sys-utils/nsenter.c
index 13f729e53bb8a0312969592c70808a9ddc6bb3ea..dfb1a3b5163f9bdd52ab5efc600cd1ac924835c1 100644 (file)
--- a/sys-utils/nsenter.c
+++ b/sys-utils/nsenter.c
@@ -28,6 +28,7 @@
 #include <assert.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <grp.h>
 
 #include "strutils.h"
 #include "nls.h"
@@ -328,10 +329,12 @@ int main(int argc, char *argv[])
                continue_as_child();
 
        if (namespaces & CLONE_NEWUSER) {
-               if (setuid(uid) < 0)
-                       err(EXIT_FAILURE, _("setuid failed"));
+               if (setgroups(0, NULL))         /* drop supplementary groups */
+                       err(EXIT_FAILURE, _("setgroups failed"));
                if (setgid(gid) < 0)
                        err(EXIT_FAILURE, _("setgid failed"));
+               if (setuid(uid) < 0)
+                       err(EXIT_FAILURE, _("setuid failed"));
        }
 
        if (optind < argc) {