check_setugid: check uids to actually be 0 (!7247) · Merge requests · GNOME / gtk

Stas Sergeev requested to merge stsp2/gtk:suid_fix into gtk-3-24 May 13, 2024

Currently the code in check_setugid() checks for UIDs mismatch, and exits in that case, assuming it is a privilege escalation. But the actual check for the priv escalation is missing. Such check can, at the very least, see if either of UIDs is 0. In other cases it may be a priv drop, rather than an escalation.

This patch adds a simplest check for either of UIDs being equal to 0.

Fixes: #6629

check_setugid: check uids to actually be 0

Merge request reports