Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: allow unsandboxed renderers to request new privileges #19953

Merged
merged 2 commits into from Aug 27, 2019
Merged

fix: allow unsandboxed renderers to request new privileges #19953

merged 2 commits into from Aug 27, 2019

Conversation

nornagon
Copy link
Member

Description of Change

This used to be set for all processes, but was removed in #15229. This re-enables allow_new_privs but only for unsandboxed renderers. All other child processes will continue to have the default behaviour, which is to prevent new privileges via prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) (see prctl(2)).

Fixes #18521.

Checklist

Release Notes

Notes: Fixed an issue that prevented setuid binaries from being launched from the renderer process on Linux.

@nornagon nornagon requested a review from a team as a code owner August 26, 2019 19:09
@electron-cation electron-cation bot added the new-pr 🌱 PR opened in the last 24 hours label Aug 26, 2019
deepak1556
deepak1556 approved these changes Aug 26, 2019
View reviewed changes
Copy link
Member

@deepak1556 deepak1556 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM given the context from issue.

@nornagon
Copy link
Member Author

Probably should also write a test for this.

jkleinsc
jkleinsc requested changes Aug 27, 2019
View reviewed changes
Copy link
Contributor

@jkleinsc jkleinsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test before merging?

@electron-cation electron-cation bot removed the new-pr 🌱 PR opened in the last 24 hours label Aug 27, 2019
@nornagon
Copy link
Member Author

@jkleinsc PTAL, test added.

@jkleinsc jkleinsc merged commit 832c926 into master Aug 27, 2019
@release-clerk
Copy link

release-clerk bot commented Aug 27, 2019

Release Notes Persisted

Fixed an issue that prevented setuid binaries from being launched from the renderer process on Linux.

@jkleinsc jkleinsc deleted the allow-new-privs branch August 27, 2019 22:35
@trop
Copy link
Contributor

trop bot commented Aug 27, 2019

I was unable to backport this PR to "5-0-x" cleanly;
you will need to perform this backport manually.

@trop
Copy link
Contributor

trop bot commented Aug 27, 2019

I was unable to backport this PR to "6-0-x" cleanly;
you will need to perform this backport manually.

@trop
Copy link
Contributor

trop bot commented Aug 27, 2019

I was unable to backport this PR to "7-0-x" cleanly;
you will need to perform this backport manually.

@Eugeny Eugeny mentioned this pull request Aug 28, 2019
Merged
6 tasks
@trop
Copy link
Contributor

trop bot commented Aug 28, 2019

A maintainer has manually backported this PR to "7-0-x", please check out #19999

@Eugeny Eugeny mentioned this pull request Aug 29, 2019
Merged
6 tasks
@trop
Copy link
Contributor

trop bot commented Aug 29, 2019

A maintainer has manually backported this PR to "6-0-x", please check out #20023

@stgraber stgraber mentioned this pull request Feb 14, 2020
Closed
@the-j0k3r
Copy link

A maintainer has manually backported this PR to "6-0-x", please check out #20023

Any chance this will be backported to Electron 5.0.13? Seems there is a regression for this see https://github.com/bus-stop/terminus/issues/84

Atom 1.47.0 latest version is using electron 5.0.13 which fails, earlier Atom 1.46.0 with electron 4.2.7 worked.

@the-j0k3r the-j0k3r mentioned this pull request Jun 1, 2020
Closed
6 tasks
@trop
Copy link
Contributor

trop bot commented Jun 1, 2020

@the-j0k3r has manually backported this PR to "5-0-x", please check out #23881

@trop trop bot added the in-flight/5-0-x label Jun 1, 2020
@yacc143 yacc143 mentioned this pull request Jul 13, 2020
Open
@the-j0k3r
Copy link

Has anyone checked this fix exists in newer electron version greater than 7.x?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkleinsc jkleinsc jkleinsc approved these changes

@zcbenz zcbenz zcbenz approved these changes

@deepak1556 deepak1556 deepak1556 approved these changes

@MarshallOfSound MarshallOfSound MarshallOfSound approved these changes

@ckerr ckerr Awaiting requested review from ckerr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Executing SUID binaries not possible in v5
6 participants
@nornagon @the-j0k3r @jkleinsc @zcbenz @deepak1556 @MarshallOfSound