(#12457) add users primary group, not Process.gid, in initgroups
a96babffebdaUnpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

(#12457) add users primary group, not Process.gid, in initgroups

The Process.gid (real gid) was always included when initialising supplementary
groups in the initgroups method (called when changing the euid via the
change_user method). This has been replaced by the primary gid of the user.

This led to a privilege leak, as well as a potential surprise when it came to
file ownership, in both the agent and the master.

Fix and analysis by Dominic Cleal <dcleal@redhat.com>

Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>

Details

Provenance

Daniel Pittman <daniel@puppetlabs.com>	Authored on
Matthaus Litteken <matthaus@puppetlabs.com>	Committed on Feb 20 2012, 8:55 PM
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPU2f215460a77b: Restore compatible `insync?` behaviour for matching arrays.

Branches

Unknown

Tags

Unknown

Event Timeline

Matthaus Litteken <matthaus@puppetlabs.com> committed rPUa96babffebda: (#12457) add users primary group, not Process.gid, in initgroups (authored by Daniel Pittman <daniel@puppetlabs.com>).Feb 20 2012, 8:55 PM

Changes (2)

Path

Size

lib/

puppet/

util/

suidmanager.rb

spec/

unit/

util/

suidmanager_spec.rb

rPUa96babffebda

View Options

lib/puppet/util/suidmanager.rb