Bug 359621 - Unneeded setgid requirement
Summary: Unneeded setgid requirement
Status: REPORTED
Alias: None
Product: frameworks-kdesu
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: unspecified
Platform: Debian unstable Linux
: NOR normal
Target Milestone: ---
Assignee: kdelibs bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-21 07:34 UTC by Maximiliano Curia
Modified: 2021-03-09 05:54 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Maximiliano Curia 2016-02-21 07:34:44 UTC 
Hi,

The kdesu framework currently requires the kdesud to be setgid, the documentation about this requirement says (client.h):
 The daemon should be installed setgid nogroup, in order to be able to act as an inaccessible,
 trusted 3rd party.

Even the check for the daemon file to be setgid is part of the public API of the kdesu framework.:
class KDESU_EXPORT KDEsuClient
{
public:
 ...
 bool isServerSGID();
...

But, AFAICS, this provides no additional "security". In fact, it would be better if the check were "make sure the daemon is not setuid", or if it denies ptrace.

Afaik, having the setgid in place only serves as a way to change the effective primary group, which will be used for files created by this process.

Unless there is a real reason for this requirement, please drop it.

Happy hacking,

Reproducible: Always
Comment 1 Justin Zobel 2021-03-09 05:54:12 UTC 
Thank you for the bug report.

As this report hasn't seen any changes in 5 years or more, we ask if you can please confirm that the issue still persists.

If this bug is no longer persisting or relevant please change the status to resolved.