[PATCH] nptl: Zero-extend arguments to SETXID syscalls [BZ #26248]
Florian Weimer
fweimer@redhat.com
Mon Jul 20 11:38:41 GMT 2020
* Carlos O'Donell:
> On 7/17/20 11:13 AM, Florian Weimer wrote:
>> * Carlos O'Donell:
>>
>>> This test should run in a container, and it should attempt two setgroups
>>> calls, one with groups and one empty with a bad address.
>>
>> Why do you think this needs a container?
>
> We are trying to successfully call setgroups(), and to do that we need
> CAP_SETGID.
Hmm, I think you are right: Since group membership can be used to
restrict privileges, removing supplementary groups is itself a
privileged call.
Thanks,
Florian
More information about the Libc-alpha
mailing list