Commit 53e6ee7a authored by Thomas B. Rücker's avatar Thomas B. Rücker 😊
Browse files

SECURITY FIX - Override supplementary groups

In case of <changeowner> only UID and GID were changed, 
supplementary groups were left in place.
This is a potential security issue only if <changeowner> is used.
New behaviour is to set UID, GID and set supplementary groups 
based on the UID
Even in case of icecast remaining in supplementary group 0 
this "only" gives it things like access to files that are owned 
by group 0 and according to their umask. This is obviously bad,
but not as bad as UID 0 with all its other special rights.
It's a security issue and we fix immediately and recommend users to update.

PS: Cherry picking this should be fine by distros for fixing older releases.

svn path=/icecast/trunk/icecast/; revision=19137
parent 4c52d8f2
......@@ -6,9 +6,10 @@
* Copyright 2000-2004, Jack Moffitt <,
* Michael Smith <>,
* oddsock <>,
* Karl Heyes <>
* Karl Heyes <>,
* and others (see AUTHORS for details).
* Copyright 2011-2012, Philipp "ph3-der-loewe" Schafft <>,
* Copyright 2014, Thomas B. Ruecker <>.
/* -*- c-basic-offset: 4; indent-tabs-mode: nil; -*- */
......@@ -396,14 +397,15 @@ static void _ch_root_uid_setup(void)
if(gid != (gid_t)-1) {
if(uid != (uid_t)-1 && gid != (gid_t)-1) {
fprintf(stdout, "Changed groupid to %i.\n", (int)gid);
fprintf(stdout, "Error changing groupid: %s.\n", strerror(errno));
if(uid != (uid_t)-1) {
if(!initgroups(conf->user, gid))
fprintf(stdout, "Changed supplementary groups based on user: %s.\n", conf->user);
fprintf(stdout, "Error changing supplementary groups: %s.\n", strerror(errno));
fprintf(stdout, "Changed userid to %i.\n", (int)uid);
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment