Comment 5 for bug 509734

Hi,

greenmoss writes:
> strace output is attached
Thanks.

This is the relevant section from atd.c:
   342 if (chdir(ATJOB_DIR) < 0)
   343 perr("Cannot chdir to " ATJOB_DIR);
   344 PRIV_START
   345 nice((tolower((int) queue) - 'a' + 1) * 2);
   346 if (initgroups(pentry->pw_name, pentry->pw_gid))
   347 perr("Cannot delete saved userids");

And the same part in the output from strace:
   522 20241 chdir("/var/spool/cron/atjobs") = 0
   523 20241 setreuid32(1, 0) = 0
   524 20241 setregid32(1, 0) = 0
   525 20241 getpriority(PRIO_PROCESS, 0) = 20
   526 20241 setpriority(PRIO_PROCESS, 0, 2) = 0
   527 20241 getpriority(PRIO_PROCESS, 0) = 18

So far everything looks ok. Now only initgroups() is left:
   528 20241 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 5

While looking up the groups, suddenly the following happens:
   828 20241 getuid32() = 1
   829 20241 mlock(0xb7348000, 32768) = 0
   830 20241 geteuid32() = 0
   831 20241 setuid32(1) = 0
   832 20241 getuid32() = 1
   833 20241 geteuid32() = 1
   834 20241 setuid32(0) = -1 EPERM (Operation not permitted)

It looks like the NSS module drops privileges?!
Of course, setgroups thus fails:

  2005 20241 setgroups32(2, [0, 512]) = -1 EPERM (Operation not permitted)

You seem to be using the libnss-ldap module. Does at work correctly if
you disable it?

Regards,
Ansgar