Re: CVE Request: powerdns does not clear supplementary groups

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/24/2012 02:10 PM, Solar Designer wrote:
> Kurt -
>
> On Thu, May 24, 2012 at 12:40:10PM -0600, Kurt Seifried wrote:
> > Supplemental groups enabled a user to be a member of more than
> > one group at a time (us old timers remember the joys of
> > "newgrp"). Why would anyone want this? You could for example
> > create a group that has permissions to access logging, terminals
> > (e.g. modems, remember those? =) and then add users to it as
> > appropriate (and centralize account/permissions management
> > somewhat and all that good stuff).
>
> That's what initgroups(3) is for.  If a program that is supposed to
> drop privs calls neither setgroups() nor initgroups(), or if it
> fails to check the return value from these and refuse to proceed on
> failure, then it is vulnerable.
>
> > So what happens when a program starts running as say root, and
> > root has supplemental groups (like "bin" or "daemon" and the
> > program drops its primary user/group but fails to drop
> > supplementary groups, is that a security issue,
>
> Definitely.
>
> > and is it worthy of a CVE identifier?
>
> It should be.
>
> > Having supplementary groups is intentional [...]
>
> Having supplementary groups of the new (pseudo-)user, possibly
> yes. Having supplementary groups of the old switched-from user,
> no.
>
> Alexander

Ahh I realize something I forgot to cover in my email is the
distinction between vulnerability and vector, e.g. if program "foo"
(for the sake of argument let's say it is a text editor) doesn't drop
supplementary groups correctly than exploitation of it would be easy,
so in this case I'd agree it was a security vuln. But when a program
with much more limited operations doesn't drop privileges, unless it
directly leads to some sort of exploit/elevated access/etc. than I'm
inclined to say while it's not good, it's not a vulnerability per se.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPvpsCAAoJEBYNRVNeJnmTHIIQAIA3A/fehKMDeXegQ8t7ObbK
PT+eTwn5TbRwxkdmvloF3wVFUoAv6C58obq349AmOKc/BXaM4Nf3tgnxiUKLm570
yPjDdBGECBtMrLftQ5LMSwZCkygZicD1JRbS9moJJOoR9xK005FAZM1P3LJOo7Bv
S4gNTD2Vz3p0v09o7axTsNfAcA/May5hOJ5jmSq+Oj098ShPGVmtAmQkfADRa+mP
xjtC7qFojDbwR3OANRUqU0FTHym4PmroVyWBAgrZNnaIywNz0JTyVXIII03Iv6H+
fAHxXshQ9NSTlizoKmm2ylmAI7u4/s/EWBE9P89Qo/m5ei0CKpc5i1YfzK7bD0zL
Q4Y4WEFSNxpath2nQ/SUJe3E9P/yI6SsL2jjxFvf+qnfNtVSMAXFOLS6rmoE4ioj
wo4Hu7HBfkVnW9AJL/dAtSh6Xjv7AnxXHLb3yQ/9oOaaXRm0wNdJVTyw3BsvOHuf
d7Q/4GQhCKVDnXgCUpBQHa9ccqqfnVT9aReWueSf1N1NMVxJJOIcst+KtaEhm6Wt
i/tCMXc3alIeeMn8CzK66XaS/hToSwB73NTsaze4wSyJMUIqM1nlO64mOv5KNwZM
DYvj35I2ICK31prIAFVlGxaNRNExW+ofv4l4RvyTXREpU4ew0sgRMjzoJWw0+0sk
is3phnptl1+es4JrjRye
=dDuN
-----END PGP SIGNATURE-----