Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Report incorrect group information in users #2190

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

danth
Copy link

@danth danth commented Jan 15, 2025

This is already documented in ogham/rust-users#44 regarding listing the groups for the current process. However, this also affects listing the supplementary groups for a particular user.

I discovered this while implementing a file server which controls access based on the underlying filesystem permissions. If the file in question was owned by the root group, then it would inadvertently be accessible to everyone, as they are believed to be a member of that group.

There may be other applications out there doing something similar, hence I think it's important to raise this as a security issue and not just a general bug.

The boundary for the affected versions is based on this commit and this commit, where the functionality was first introduced.

@danth danth marked this pull request as draft January 15, 2025 02:31
@danth danth marked this pull request as ready for review January 15, 2025 02:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant