From e3ff4e663ce34d57bac81c94f3d885c58e56b9b4 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 6 Apr 2021 14:30:16 -0600 Subject: [PATCH] Set user group list when executing the askpass helper. Under normal circumstances the existing group list will match the list fetched by sudo. However, if sudo is executed by a process that has changed the group list via setgroups(2) and "group_source" in sudo.conf is set to "dynamic" it is possible for them to be different. If group_source in sudo.conf is set to "dynamic" it is possible for the group list --- src/tgetpass.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/tgetpass.c b/src/tgetpass.c index 87f01dc38..b12301100 100644 --- a/src/tgetpass.c +++ b/src/tgetpass.c @@ -289,6 +289,7 @@ static char * sudo_askpass(const char *askpass, const char *prompt) { static char buf[SUDO_CONV_REPL_MAX + 1], *pass; + struct sudo_cred *cred = &user_details.cred; struct sigaction sa, savechld; enum tgetpass_errval errval; int pfd[2], status; @@ -323,12 +324,18 @@ sudo_askpass(const char *askpass, const char *prompt) restore_limits(); /* But avoid a setuid() failure on Linux due to RLIMIT_NPROC. */ unlimit_nproc(); - if (setgid(user_details.cred.gid)) { - sudo_warn(U_("unable to set gid to %u"), (unsigned int)user_details.cred.gid); + if (setgid(cred->gid)) { + sudo_warn(U_("unable to set gid to %u"), (unsigned int)cred->gid); _exit(255); } - if (setuid(user_details.cred.uid)) { - sudo_warn(U_("unable to set uid to %u"), (unsigned int)user_details.cred.uid); + if (cred->ngroups != -1) { + if (sudo_setgroups(cred->ngroups, cred->groups) == -1) { + sudo_warn("%s", U_("unable to set supplementary group IDs")); + _exit(255); + } + } + if (setuid(cred->uid)) { + sudo_warn(U_("unable to set uid to %u"), (unsigned int)cred->uid); _exit(255); } restore_nproc();