From ee5763a2bce7d2b09af3398f711c890e967698fd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 25 Nov 2013 13:24:30 +0100 Subject: [PATCH] drop also supplementary groups when dropping privileges --- gpsd-setgroups.patch | 23 +++++++++++++++++++++++ gpsd.spec | 3 +++ 2 files changed, 26 insertions(+) create mode 100644 gpsd-setgroups.patch diff --git a/gpsd-setgroups.patch b/gpsd-setgroups.patch new file mode 100644 index 0000000..0afb91c --- /dev/null +++ b/gpsd-setgroups.patch @@ -0,0 +1,23 @@ +commit c3f7db262c8e2e615dae9c3db6f0385bddc48df2 +Author: Miroslav Lichvar +Date: Fri Nov 22 18:19:41 2013 +0100 + + Drop also supplementary groups when dropping privileges. + + Signed-off-by: Eric S. Raymond + +diff --git a/gpsd.c b/gpsd.c +index c77f684..76d1850 100644 +--- a/gpsd.c ++++ b/gpsd.c +@@ -2059,6 +2059,10 @@ int main(int argc, char *argv[]) + * of any compromises in the code. It requires that all GPS + * devices have their group read/write permissions set. + */ ++ if (setgroups(0, NULL) != 0) ++ gpsd_report(context.debug, LOG_ERROR, ++ "setgroups() failed, errno %s\n", ++ strerror(errno)); + /*@-type@*/ + #ifdef GPSD_GROUP + { diff --git a/gpsd.spec b/gpsd.spec index ec941ea..dc4d420 100644 --- a/gpsd.spec +++ b/gpsd.spec @@ -17,6 +17,8 @@ Patch1: gpsd-nolibcap.patch Patch2: gpsd-linkflags.patch # set time stamp in chrony SOCK sample correctly Patch3: gpsd-chronyts.patch +# drop also supplementary groups when dropping privileges +Patch4: gpsd-setgroups.patch BuildRequires: dbus-devel dbus-glib-devel ncurses-devel xmlto python-devel BuildRequires: scons desktop-file-utils bluez-libs-devel pps-tools-devel @@ -82,6 +84,7 @@ can run on a serial terminal or terminal emulator. %patch1 -p1 -b .nolibcap %patch2 -p1 -b .linkflags %patch3 -p1 -b .chronyts +%patch4 -p1 -b .setgroups %build export CCFLAGS="%{optflags}"