rpmlint warning: missing-call-to-setgroups-before-setuid

[daxim]

When packaging libuv-0.11.19 on openSUSE 13.1, rpmlint reports the warning:

libuv11.x86_64: W: missing-call-to-setgroups-before-setuid /usr/lib64/libuv.so.11.0.0
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.

Is this warning legimitate or bogus? If the former, that should be fixed in the libuv source code. If the latter, I can suppress the warning in the specfile.

[Sannis]

@daxim are you plan to deploy that rpm to devel:languages:nodejs or some other channel on openSUSE build services?

[daxim]

libuv is one of the indirect dependencies of rakudo; I plan to submit it to devel:languages:parrot.

[bnoordhuis]

I came here to report this as a bug. Yes, this is a potential security issue that needs to be addressed.

(EDIT: Another thing that libuv should do on Linux is drop some or all capabilities.)

/cc @indutny

[saghul]

Landed a fix for this warning in 66ab389. We should also drop some (or all) capabilities on Linux, I created #1106 for that.

[saghul]

On 08/18/2015 09:57, Lubomir Rintel wrote:

FWIW this patch is incorrect. With size of 0, it doesn't set anything:

If size is zero, list is not modified, but the total number of
supplementary group IDs for the process is returned. This allows the
caller to determine the size of a dynamically allocated list to be
used in a further call to getgroups().

My understanding is that what you quoted applies to getgroups, not
setgroups, which is what we are using here. Can you point me to another
resource stating this is incorrect? I'm surprised, because many eyes saw
this patch, as we had to issue a CVE, and I'd hate it if it was wrong
after all. Thanks!

[lkundrak]

@saghul sorry for the noise; I read the manual incorrect. The paragraph actually referred to getgroups().

Need more coffee.

Sorry again.

[saghul]

No problem!