Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 May 2012 14:33:06 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Solar Designer <solar@...nwall.com>
Subject: Re: CVE Request: powerdns does not clear supplementary
 groups

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/24/2012 02:10 PM, Solar Designer wrote:
> Kurt -
> 
> On Thu, May 24, 2012 at 12:40:10PM -0600, Kurt Seifried wrote:
>> Supplemental groups enabled a user to be a member of more than
>> one group at a time (us old timers remember the joys of
>> "newgrp"). Why would anyone want this? You could for example
>> create a group that has permissions to access logging, terminals
>> (e.g. modems, remember those? =) and then add users to it as
>> appropriate (and centralize account/permissions management
>> somewhat and all that good stuff).
> 
> That's what initgroups(3) is for.  If a program that is supposed to
> drop privs calls neither setgroups() nor initgroups(), or if it
> fails to check the return value from these and refuse to proceed on
> failure, then it is vulnerable.
> 
>> So what happens when a program starts running as say root, and
>> root has supplemental groups (like "bin" or "daemon" and the
>> program drops its primary user/group but fails to drop
>> supplementary groups, is that a security issue,
> 
> Definitely.
> 
>> and is it worthy of a CVE identifier?
> 
> It should be.
> 
>> Having supplementary groups is intentional [...]
> 
> Having supplementary groups of the new (pseudo-)user, possibly
> yes. Having supplementary groups of the old switched-from user,
> no.
> 
> Alexander

Ahh I realize something I forgot to cover in my email is the
distinction between vulnerability and vector, e.g. if program "foo"
(for the sake of argument let's say it is a text editor) doesn't drop
supplementary groups correctly than exploitation of it would be easy,
so in this case I'd agree it was a security vuln. But when a program
with much more limited operations doesn't drop privileges, unless it
directly leads to some sort of exploit/elevated access/etc. than I'm
inclined to say while it's not good, it's not a vulnerability per se.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPvpsCAAoJEBYNRVNeJnmTHIIQAIA3A/fehKMDeXegQ8t7ObbK
PT+eTwn5TbRwxkdmvloF3wVFUoAv6C58obq349AmOKc/BXaM4Nf3tgnxiUKLm570
yPjDdBGECBtMrLftQ5LMSwZCkygZicD1JRbS9moJJOoR9xK005FAZM1P3LJOo7Bv
S4gNTD2Vz3p0v09o7axTsNfAcA/May5hOJ5jmSq+Oj098ShPGVmtAmQkfADRa+mP
xjtC7qFojDbwR3OANRUqU0FTHym4PmroVyWBAgrZNnaIywNz0JTyVXIII03Iv6H+
fAHxXshQ9NSTlizoKmm2ylmAI7u4/s/EWBE9P89Qo/m5ei0CKpc5i1YfzK7bD0zL
Q4Y4WEFSNxpath2nQ/SUJe3E9P/yI6SsL2jjxFvf+qnfNtVSMAXFOLS6rmoE4ioj
wo4Hu7HBfkVnW9AJL/dAtSh6Xjv7AnxXHLb3yQ/9oOaaXRm0wNdJVTyw3BsvOHuf
d7Q/4GQhCKVDnXgCUpBQHa9ccqqfnVT9aReWueSf1N1NMVxJJOIcst+KtaEhm6Wt
i/tCMXc3alIeeMn8CzK66XaS/hToSwB73NTsaze4wSyJMUIqM1nlO64mOv5KNwZM
DYvj35I2ICK31prIAFVlGxaNRNExW+ofv4l4RvyTXREpU4ew0sgRMjzoJWw0+0sk
is3phnptl1+es4JrjRye
=dDuN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.