[PATCH] nptl: Zero-extend arguments to SETXID syscalls [BZ #26248]

Florian Weimer fweimer@redhat.com
Mon Jul 20 11:38:41 GMT 2020


* Carlos O'Donell:

> On 7/17/20 11:13 AM, Florian Weimer wrote:
>> * Carlos O'Donell:
>> 
>>> This test should run in a container, and it should attempt two setgroups
>>> calls, one with groups and one empty with a bad address.
>> 
>> Why do you think this needs a container?
>
> We are trying to successfully call setgroups(), and to do that we need
> CAP_SETGID.

Hmm, I think you are right: Since group membership can be used to
restrict privileges, removing supplementary groups is itself a
privileged call.

Thanks,
Florian



More information about the Libc-alpha mailing list