On GNU/Linux systems that are build using RPM packages, the rpmlint
utility complains about programs that don't call setgroups
before setuid
.
The idea is that before dropping privileges, a process should also drop the list of supplementary group ID's with setgroups(0, NULL)
.
However, is this something that should always be done?
Suppose that we are running setuid root, and are carrying a list of supplementary group ID's from our original security context: the groups associated with the real user ID.
When we drop back to that real user ID, we don't necessarily want to lose those groups: code executing as the original user may depend on those supplementary memberships being in place, right?
Should we not omit setgroups(0, NULL)
in setuid code before dropping privs to the original user?
(By the way, of course we don't drop privileges with setuid
on Linux because that doesn't work for code running setuid non-root.)