oss-sec mailing list archives
Re: CVE Request: powerdns does not clear supplementary groups
From: Solar Designer <solar () openwall com>
Date: Fri, 25 May 2012 00:10:04 +0400
Kurt - On Thu, May 24, 2012 at 12:40:10PM -0600, Kurt Seifried wrote:
Supplemental groups enabled a user to be a member of more than one group at a time (us old timers remember the joys of "newgrp"). Why would anyone want this? You could for example create a group that has permissions to access logging, terminals (e.g. modems, remember those? =) and then add users to it as appropriate (and centralize account/permissions management somewhat and all that good stuff).
That's what initgroups(3) is for. If a program that is supposed to drop privs calls neither setgroups() nor initgroups(), or if it fails to check the return value from these and refuse to proceed on failure, then it is vulnerable.
So what happens when a program starts running as say root, and root has supplemental groups (like "bin" or "daemon" and the program drops its primary user/group but fails to drop supplementary groups, is that a security issue,
Definitely.
and is it worthy of a CVE identifier?
It should be.
Having supplementary groups is intentional [...]
Having supplementary groups of the new (pseudo-)user, possibly yes. Having supplementary groups of the old switched-from user, no. Alexander
Current thread:
- CVE Request: powerdns does not clear supplementary groups David Black (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Miloslav Trmac (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups David Black (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Solar Designer (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Steve Grubb (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Christos Zoulas (May 24)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Peter van Dijk (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 25)
- Re: CVE Request: powerdns does not clear supplementary groups Kurt Seifried (May 24)