© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Mark, thank you so much for finding this bug.
I'm the maintainer for fscrypt, and the attached patch (when applied to fscrypt's master branch) seems to resolve this issue. I ran a few tests on my local system (along with fscrypt's existing tests) and everything still seems to be working.
The bug was caused by the fscrypt PAM module's privilege dropping code. It would drop privileges (for security, ironically enough) before performing unprivileged actions on behalf of the user. However, when restoring privileges before the PAM module exited, the EUID EGID and groups were all set back to root. However, when running su, the GID and groups in a PAM module are those of the user (while the UID is root). So this restored _too many_ privileges making the user part of the root group.
Let me know if there are any issues, if this patch breaks things, or if it doesn't fix the bug.
Joe