In early 2002 gnome 1.4.1 announcement said gdm (2.2.4.1 -> 2.2.5.4) "SECURITY FIX! reset egid to user gid before starting a session. robustness fixes, ....." No CVE name was assigned to this issue. Using gnome webcvs I traced that message to this patch: http://cvs.gnome.org/viewcvs/gdm2/daemon/slave.c?r1=1.111&r2=1.112 "set egid to the correct value before we do setuid to avoid running the session with gdm group privilages. (Note that all session files run bash and thus drop those, but this is a problem for the failsafes)" Looking at the gdm package we shipped with RHEL2.1 (gdm-2.2.3.1-20) and subsequent errata (gdm-2.2.3.1-20.1) they do not contain this fix. This is a minor issue, but we should correct it in the future along with any other gdm fixes.
Hi Mark. It looks to me like gdm-2.2.3.1 isn't affected by this problem. It already calls setgid() and initgroups() before calling setuid(), so setegid() shouldn't be needed: if (setgid (pwent->pw_gid) < 0) gdm_child_exit (DISPLAY_REMANAGE, _("gdm_slave_session_start: Could not setgid %d. Aborting."), pwent->pw_gid); if (initgroups (login, pwent->pw_gid) < 0) gdm_child_exit (DISPLAY_REMANAGE, _("gdm_slave_session_start: initgroups() failed for %s. Aborting."), login); if (setuid (pwent->pw_uid) < 0) gdm_child_exit (DISPLAY_REMANAGE, _("gdm_slave_session_start: Could not become %s. Aborting."), login); I'm closing NOTABUG, but if I've missed something, please reopen. Thanks.
Confirmed, gdm-2.2.3.1 isn't affected by this problem. It seems that the issue was introduced by this update: http://cvs.gnome.org/viewcvs/gdm2/daemon/slave.c?r1=1.108&r2=1.109