Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 May 2012 13:58:09 -0600
From: Kurt Seifried <>
CC: Miloslav Trmac <>, David Black <>,
        Peter van Dijk <>,
        Bert Hubert <>
Subject: Re: CVE Request: powerdns does not clear supplementary

Hash: SHA1

On 05/24/2012 01:10 PM, Miloslav Trmac wrote:
> ----- Original Message -----
>> So what happens when a program starts running as say root, and
>> root has supplemental groups (like "bin" or "daemon" and the
>> program drops its primary user/group but fails to drop
>> supplementary groups, is that a security issue, and is it worthy
>> of a CVE identifier?
>> For most cases I'm going to say probably not (aka no). Having 
>> supplementary groups is intentional and allows permissions to be
>> more fine grained, you can for example make root a member of
>> "logging" so that even when the app drops root privileges would
>> still have the supplementary group of "logging" and can do its
>> logging or whatever.
> Yes, the existence of supplementary groups is intentional - but
> that doesn't mean that inheriting supplementary groups is
> intentional.
> From the administrator's point of view, the privileges are
> effectively assigned to "the user" as an "atomic" identity - they
> are configured in /etc/passwd and /etc/group _and associated with
> an UID_.  In "ordinary" case, programs running with a specific UID
> are expected to always use the same primary GID, and same primary
> groups.  Yes, the implementation does not match the administrator's
> point of view, the UID, GID and supplementary groups are sparete,
> and , e.g. setuid/setgid may cause a different configuration from
> the "primary" case, or switching privileges temporarily creates
> non-ordinary situations.  Still, I think that keeping the
> administrator's point of view in mind is important.
> In the above example, if there really is a "logging" group, and an
> application is configured to drop privileges and switch to uid
> $APP_UID, the administrator would expect that whether the app
> should or should not have the "logging" group membership is
> configured in /etc/groups for $APP_UID, not for root.  So, I can't
> see that as an argument for intentionally not dropping
> supplementary groups. Mirek

Ok I'll admit it, bad example, but I couldn't think of anything better
offhand. Any ways like I said if someone can make a compelling
argument that these should all be security issues that's great, if not
I'll continue to default this to a security hardening issue unless
someone brings up specific instances that need to be dealt with as a
security fix.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.