[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: __libc_enable_secure & sgid to different own group
|
From: |
Samuel Thibault |
|
Subject: |
Re: __libc_enable_secure & sgid to different own group |
|
Date: |
Thu, 2 Jul 2015 01:35:18 +0200 |
|
User-agent: |
Mutt/1.5.21+34 (58baf7c9f32f) (2010-12-30) |
Hello,
Pino Toscano, le Sat 27 Jun 2015 14:03:08 +0200, a écrit :
> $ groups
> users dialout [...]
> $ chown $(id -nu).dialout frob-gid
> $ chmod g+s frob-gid
>
> At this point, the output of frob-gid is 1 on Linux, while 0 on Hurd.
So the user was actually already part of the dialout group?
Then I'd say we indeed have no reason to set __libc_enable_secure to 1:
there is no privilege escalation here, so no reason to disable any
features (which is the consequence of __libc_enable_secure being 1)
> p11-kit uses __libc_enable_secure in its replacement for
> getauxval(AT_SECURE), falling back to issetugid (which we don't have)
> and then to getresuid (which we have).
>
> I don't have much knowledge in how this behaviour should be, so
> a) the current Hurd behaviour is fine and conformant, so p11-kit should
> avoid using __libc_enable_secure for getauxval(AT_SECURE)
For me getauxval(AT_SECURE) should also return 0 in this case, since
there is no privilege escalation.
Samuel
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: __libc_enable_secure & sgid to different own group,
Samuel Thibault <=