From: Karel Zak <kzak@redhat.com>
Date: Thu, 6 Feb 2014 13:14:50 +0000 (+0100)
Subject: nsenter: fix set{gid,uid} order,drop supplementary groups
X-Git-Tag: v2.25-rc1~622
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=99d7e174119e8717efae0f0fec5f7dec14492fb3;p=thirdparty%2Futil-linux.git

nsenter: fix set{gid,uid} order,drop supplementary groups

.. always, always setgid() before setuid()!

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1061751
Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/sys-utils/nsenter.c b/sys-utils/nsenter.c
index 13f729e53b..dfb1a3b516 100644
--- a/sys-utils/nsenter.c
+++ b/sys-utils/nsenter.c
@@ -28,6 +28,7 @@
 #include <assert.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <grp.h>
 
 #include "strutils.h"
 #include "nls.h"
@@ -328,10 +329,12 @@ int main(int argc, char *argv[])
 		continue_as_child();
 
 	if (namespaces & CLONE_NEWUSER) {
-		if (setuid(uid) < 0)
-			err(EXIT_FAILURE, _("setuid failed"));
+		if (setgroups(0, NULL))		/* drop supplementary groups */
+			err(EXIT_FAILURE, _("setgroups failed"));
 		if (setgid(gid) < 0)
 			err(EXIT_FAILURE, _("setgid failed"));
+		if (setuid(uid) < 0)
+			err(EXIT_FAILURE, _("setuid failed"));
 	}
 
 	if (optind < argc) {