[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: __libc_enable_secure & sgid to different own group

From: Samuel Thibault
Subject: Re: __libc_enable_secure & sgid to different own group
Date: Thu, 2 Jul 2015 01:35:18 +0200
User-agent: Mutt/1.5.21+34 (58baf7c9f32f) (2010-12-30)


Pino Toscano, le Sat 27 Jun 2015 14:03:08 +0200, a écrit :
> $ groups
> users dialout [...]
> $ chown $(id -nu).dialout frob-gid
> $ chmod g+s frob-gid
> At this point, the output of frob-gid is 1 on Linux, while 0 on Hurd.

So the user was actually already part of the dialout group?

Then I'd say we indeed have no reason to set __libc_enable_secure to 1:
there is no privilege escalation here, so no reason to disable any
features (which is the consequence of __libc_enable_secure being 1)

> p11-kit uses __libc_enable_secure in its replacement for
> getauxval(AT_SECURE), falling back to issetugid (which we don't have)
> and then to getresuid (which we have).
> I don't have much knowledge in how this behaviour should be, so
> a) the current Hurd behaviour is fine and conformant, so p11-kit should
>    avoid using __libc_enable_secure for getauxval(AT_SECURE)

For me getauxval(AT_SECURE) should also return 0 in this case, since
there is no privilege escalation.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]