[PATCH] Fix unchecked return value of initgroups() plugin (#11856)

The patches have beem merged into one.

Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/apache/trafficserver/pull/11855
Origin: https://github.com/apache/trafficserver/pull/11872
Bug: https://github.com/advisories/GHSA-6j2p-q7p9-hmxw
Bug-Debian: https://bugs.debian.org/1087531
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-50306
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-50306

Gbp-Pq: Name CVE-2024-50306.patch

diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
index 7c53050cf1c115cf28cf1405783d7eca3800b572..1c64091b40017d9b78154fdd501bd82e6462c444 100644 (file)
--- a/src/tscore/ink_cap.cc
+++ b/src/tscore/ink_cap.cc
@@ -160,7 +160,11 @@ impersonate(const struct passwd *pwd, ImpersonationLevel level)
 #endif
 
   // Always repopulate the supplementary group list for the new user.
-  initgroups(pwd->pw_name, pwd->pw_gid);
+  if (geteuid() == 0) { // check that we have enough rights to call initgroups()
+    if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+      Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+    }
+  }
 
   switch (level) {
   case IMPERSONATE_PERMANENT: