-
Tim Wickberg authoredIf the second call to getgrouplist() found additional groups, ngroups will be overwritten with this new larger value, while the gids list would be truncated. (ngroups is a value-result arg.) This will then lead to _gids_cache_lookup() returning the wrong number of groups including invalid parts of memory, which are likely to include some zeros. Those zeros could then make it to the setgroups() call and thus give the user access to the root group. Especially as setgroups will succeed as long as the array does not contain -1 as a gid. Bug 3320.
Tim Wickberg authoredIf the second call to getgrouplist() found additional groups, ngroups will be overwritten with this new larger value, while the gids list would be truncated. (ngroups is a value-result arg.) This will then lead to _gids_cache_lookup() returning the wrong number of groups including invalid parts of memory, which are likely to include some zeros. Those zeros could then make it to the setgroups() call and thus give the user access to the root group. Especially as setgroups will succeed as long as the array does not contain -1 as a gid. Bug 3320.