From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Mon, 18 May 2009 10:33:33 +0000 (+0000)
Subject: Remove group setting code in setusercontext case, we will do it ourselves
X-Git-Tag: SUDO_1_7_2~26
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5f9f29a23301ae4f0742d4116cb69c3da10db1bc;p=sudo

Remove group setting code in setusercontext case, we will do it ourselves
later on in runas_setup.  Set the gid after initgroups/setgroups is called,
since on Mac OS X it seems to change the egid.
---

diff --git a/set_perms.c b/set_perms.c
index c61256611..686eeb171 100644
--- a/set_perms.c
+++ b/set_perms.c
@@ -558,13 +558,9 @@ runas_setup()
 #ifdef HAVE_LOGIN_CAP_H
 	if (def_use_loginclass) {
 	    /*
-             * We only use setusercontext() set the nice value and rlimits.
+             * We only use setusercontext() to set the nice value and rlimits.
 	     */
 	    flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
-	    if (!def_preserve_groups)
-		SET(flags, LOGIN_SETGROUP);
-	    else if (setgid(gid))
-		warning("cannot set gid to runas gid");
 	    if (setusercontext(lc, runas_pw, runas_pw->pw_uid, flags)) {
 		if (runas_pw->pw_uid != ROOT_UID)
 		    error(1, "unable to set user context");
@@ -573,11 +569,11 @@ runas_setup()
 	    }
 	}
 #endif /* HAVE_LOGIN_CAP_H */
-	if (setgid(gid))
-	    warning("cannot set gid to runas gid");
 	/*
 	 * Initialize group vector
 	 */
 	runas_setgroups();
+	if (setegid(gid) || setgid(gid))
+	    warning("cannot set gid to runas gid");
     }
 }