Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Gerrit Pape <pape@smarden.org>: Bug#356016; Package runit.
(full text, mbox, link).
Acknowledgement sent to Tino Keitel <tino.keitel@web.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Gerrit Pape <pape@smarden.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: runit: setting of multiple groups using -u is broken
Date: Thu, 09 Mar 2006 10:00:27 +0100
Package: runit
Version: 1.3.3-1
Severity: critical
Tags: security
Justification: root security hole
Hi Gerrit,
As I told you during lunch a few weeks ago, the chpst binary in the
Sid package of runit behaves buggy regarding multiple groups in the
-u parameter:
$ strace -s 4096 -f /usr/bin/chpst -u nobody:ipod:nogroup:camera:mythtv/bin/sleep 1 2>&1 | grep setgroups
setgroups(4, [1006, 0, 65534, 0]) = 0
The 0 groups are wrong here, so the process gets permissions for the
root group where is shouldn't!
The correct group IDs look like this:
$ grep -E "ipod|nogroup|camera|mythtv" /etc/group
nogroup:x:65534:
mythtv:x:110:scorpion
ipod:x:1006:scorpion
camera:x:1009:scorpion
A chpst binary built using just "make" on my unstable system (which will be
linked against glibc) behaves correctly:
$ strace -s 4096 -f src/runit-1.3.3/admin/runit-1.3.3/src/chpst -u nobody:ipod:nogroup:camera:mythtv /bin/sleep 1 2>&1 | grep setgroups
setgroups32(4, [1006, 65534, 1009, 110]) = 0
I think the reason is that dietlibc handles the gid_t type as 16 bit on
i386. In /usr/include/diet/sys/types.h, I found this:
#elif defined(__arm__) || defined(__i386__) || defined(__sparc__) || defined(__s390__) /* make sure __s390x__ hits before __s390__ */
typedef uint16_t dev_t;
typedef uint16_t gid_t;
Whereas glibc uses 32 bit for gid_t on i386.
In chpst, a struct uidgid will be used to build the list for setgroups,
and it uses int for the groups:
struct uidgid {
int uid;
int gid[61];
int gids;
};
Therefore, on the little endian i386 architecture with dietlibc, the
list of 32 bit values supplied by chpst will be threated as a list of
16 bit values in setgroups(), resulting in a 0 on each second list entry.
I suggest to use gid_t in the struct uidgid to fix this.
Regards,
Tino
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15.1
Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>: Bug#356016; Package runit.
(full text, mbox, link).
Acknowledgement sent to Tino Keitel <tino.keitel@gmx.de>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>.
(full text, mbox, link).
Hi,
the attached patch fixes all warnings that occurred on my unstable
system. This also includes a fix for the setgroups() flaw in chpst.
Regards,
Tino
Tags added: patch
Request was from Tino Keitel <tino.keitel@gmx.de>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Tino Keitel <tino.keitel@gmx.de>
to control@bugs.debian.org.
(full text, mbox, link).
Message sent on to Tino Keitel <tino.keitel@web.de>:
Bug#356016.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>: Bug#356016; Package runit.
(full text, mbox, link).
Acknowledgement sent to 356016@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>.
(full text, mbox, link).
To: Tino Keitel <tino.keitel@gmx.de>, 356016@bugs.debian.org
Subject: Re: Bug#356016: chpst: setting of multiple groups using -u is broken
Date: Mon, 13 Mar 2006 08:38:04 +0000
tags 356016 + pending
quit
On Mon, Mar 13, 2006 at 09:22:03AM +0100, Tino Keitel wrote:
> the attached patch fixes all warnings that occurred on my unstable
> system. This also includes a fix for the setgroups() flaw in chpst.
Thanks Tino!, I'll release a version with the fix soon.
Regards, Gerrit.
Tags added: pending
Request was from Gerrit Pape <pape@smarden.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Gerrit Pape <pape@smarden.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Tino Keitel <tino.keitel@web.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: runit
Source-Version: 1.4.1-1
We believe that the bug you reported is fixed in the latest version of
runit, which is due to be installed in the Debian FTP archive:
runit_1.4.1-1.diff.gz
to pool/main/r/runit/runit_1.4.1-1.diff.gz
runit_1.4.1-1.dsc
to pool/main/r/runit/runit_1.4.1-1.dsc
runit_1.4.1-1_i386.deb
to pool/main/r/runit/runit_1.4.1-1_i386.deb
runit_1.4.1.orig.tar.gz
to pool/main/r/runit/runit_1.4.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 356016@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gerrit Pape <pape@smarden.org> (supplier of updated runit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 20 Mar 2006 19:34:34 +0000
Source: runit
Binary: runit
Architecture: source i386
Version: 1.4.1-1
Distribution: unstable
Urgency: low
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Gerrit Pape <pape@smarden.org>
Description:
runit - a UNIX init scheme with service supervision
Closes: 356016
Changes:
runit (1.4.1-1) unstable; urgency=low
.
* new upstream version.
* fixes setting of multiple groups with dietlibc (thx Tino Keitel,
closes: #356016).
* debian/rules: no longer install the runsvctrl, runsvstat, svwaitdown,
svwaitup programsi an man pages, use sv instead; move getty-5 service
directory to /etc/sv/getty-5/; move /var/run/getty-5/ to
/var/run/sv.getty-5/.
* debian/runit.conffiles: adapt.
* debian/runit.preinst, debian/runit.postinst: move conffiles, preserve
user changes.
Files:
1c937584de66d48f9d9e9505eb467947 628 admin optional runit_1.4.1-1.dsc
00c52272eddab7a8cba5dac128dc79c0 102958 admin optional runit_1.4.1.orig.tar.gz
bfdd3a854282d0fdf174e4d72d39a858 8328 admin optional runit_1.4.1-1.diff.gz
2d0d628e7e3183f72aef25e6b6872e66 100108 admin optional runit_1.4.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEHwlAGJoyQbxwpv8RAjQAAJ4/zMzSEQOG/34sqiRrTftRKXkiUACeMksr
Vlj54nwh2O3mVEzN1vybuBM=
=9IFQ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 17:36:14 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.