oss-sec mailing list archives
Re: CVE Request: powerdns does not clear supplementary groups
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 24 May 2012 14:33:06 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/24/2012 02:10 PM, Solar Designer wrote:
Kurt - On Thu, May 24, 2012 at 12:40:10PM -0600, Kurt Seifried wrote:Supplemental groups enabled a user to be a member of more than one group at a time (us old timers remember the joys of "newgrp"). Why would anyone want this? You could for example create a group that has permissions to access logging, terminals (e.g. modems, remember those? =) and then add users to it as appropriate (and centralize account/permissions management somewhat and all that good stuff).That's what initgroups(3) is for. If a program that is supposed to drop privs calls neither setgroups() nor initgroups(), or if it fails to check the return value from these and refuse to proceed on failure, then it is vulnerable.So what happens when a program starts running as say root, and root has supplemental groups (like "bin" or "daemon" and the program drops its primary user/group but fails to drop supplementary groups, is that a security issue,Definitely.and is it worthy of a CVE identifier?It should be.Having supplementary groups is intentional [...]Having supplementary groups of the new (pseudo-)user, possibly yes. Having supplementary groups of the old switched-from user, no. Alexander
Ahh I realize something I forgot to cover in my email is the distinction between vulnerability and vector, e.g. if program "foo" (for the sake of argument let's say it is a text editor) doesn't drop supplementary groups correctly than exploitation of it would be easy, so in this case I'd agree it was a security vuln. But when a program with much more limited operations doesn't drop privileges, unless it directly leads to some sort of exploit/elevated access/etc. than I'm inclined to say while it's not good, it's not a vulnerability per se. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPvpsCAAoJEBYNRVNeJnmTHIIQAIA3A/fehKMDeXegQ8t7ObbK PT+eTwn5TbRwxkdmvloF3wVFUoAv6C58obq349AmOKc/BXaM4Nf3tgnxiUKLm570 yPjDdBGECBtMrLftQ5LMSwZCkygZicD1JRbS9moJJOoR9xK005FAZM1P3LJOo7Bv S4gNTD2Vz3p0v09o7axTsNfAcA/May5hOJ5jmSq+Oj098ShPGVmtAmQkfADRa+mP xjtC7qFojDbwR3OANRUqU0FTHym4PmroVyWBAgrZNnaIywNz0JTyVXIII03Iv6H+ fAHxXshQ9NSTlizoKmm2ylmAI7u4/s/EWBE9P89Qo/m5ei0CKpc5i1YfzK7bD0zL Q4Y4WEFSNxpath2nQ/SUJe3E9P/yI6SsL2jjxFvf+qnfNtVSMAXFOLS6rmoE4ioj wo4Hu7HBfkVnW9AJL/dAtSh6Xjv7AnxXHLb3yQ/9oOaaXRm0wNdJVTyw3BsvOHuf d7Q/4GQhCKVDnXgCUpBQHa9ccqqfnVT9aReWueSf1N1NMVxJJOIcst+KtaEhm6Wt i/tCMXc3alIeeMn8CzK66XaS/hToSwB73NTsaze4wSyJMUIqM1nlO64mOv5KNwZM DYvj35I2ICK31prIAFVlGxaNRNExW+ofv4l4RvyTXREpU4ew0sgRMjzoJWw0+0sk is3phnptl1+es4JrjRye =dDuN -----END PGP SIGNATURE-----
Current thread:
- CVE Request: powerdns does not clear supplementary groups David Black (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Miloslav Trmac (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups David Black (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Christos Zoulas (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Peter van Dijk (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)