Debian Bug report logs - #356016
chpst: setting of multiple groups using -u is broken

version graph

Package: runit; Maintainer for runit is Lorenzo Puliti <plorenzo@disroot.org>; Source for runit is src:runit (PTS, buildd, popcon).

Reported by: Tino Keitel <tino.keitel@web.de>

Date: Thu, 9 Mar 2006 09:03:05 UTC

Severity: critical

Tags: patch, security

Found in version runit/1.3.3-1

Fixed in version runit/1.4.1-1

Done: Gerrit Pape <pape@smarden.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Gerrit Pape <pape@smarden.org>:
Bug#356016; Package runit. (full text, mbox, link).


Acknowledgement sent to Tino Keitel <tino.keitel@web.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Gerrit Pape <pape@smarden.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Tino Keitel <tino.keitel@web.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: runit: setting of multiple groups using -u is broken
Date: Thu, 09 Mar 2006 10:00:27 +0100
Package: runit
Version: 1.3.3-1
Severity: critical
Tags: security
Justification: root security hole

Hi Gerrit,

As I told you during lunch a few weeks ago, the chpst binary in the
Sid package of runit behaves buggy regarding multiple groups in the
-u parameter:

$ strace -s 4096 -f /usr/bin/chpst -u nobody:ipod:nogroup:camera:mythtv/bin/sleep 1 2>&1 | grep setgroups

setgroups(4, [1006, 0, 65534, 0])       = 0

The 0 groups are wrong here, so the process gets permissions for the
root group where is shouldn't!

The correct group IDs look like this:

$ grep -E "ipod|nogroup|camera|mythtv" /etc/group
nogroup:x:65534:
mythtv:x:110:scorpion
ipod:x:1006:scorpion
camera:x:1009:scorpion

A chpst binary built using just "make" on my unstable system (which will be
linked against glibc) behaves correctly:

$ strace -s 4096 -f src/runit-1.3.3/admin/runit-1.3.3/src/chpst -u nobody:ipod:nogroup:camera:mythtv /bin/sleep 1 2>&1 | grep setgroups

setgroups32(4, [1006, 65534, 1009, 110]) = 0

I think the reason is that dietlibc handles the gid_t type as 16 bit on
i386. In /usr/include/diet/sys/types.h, I found this:

#elif defined(__arm__) || defined(__i386__) || defined(__sparc__) || defined(__s390__) /* make sure __s390x__ hits before __s390__ */
    typedef uint16_t dev_t;
    typedef uint16_t gid_t;

Whereas glibc uses 32 bit for gid_t on i386.

In chpst, a struct uidgid will be used to build the list for setgroups,
and it uses int for the groups:

struct uidgid {
  int uid;
  int gid[61];
  int gids;
};

Therefore, on the little endian i386 architecture with dietlibc, the
list of 32 bit values supplied by chpst will be threated as a list of
16 bit values in setgroups(), resulting in a 0 on each second list entry.

I suggest to use gid_t in the struct uidgid to fix this.

Regards,
Tino

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15.1
Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#356016; Package runit. (full text, mbox, link).


Acknowledgement sent to Tino Keitel <tino.keitel@gmx.de>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (full text, mbox, link).


Message #10 received at 356016@bugs.debian.org (full text, mbox, reply):

From: Tino Keitel <tino.keitel@gmx.de>
To: 356016@bugs.debian.org
Cc: 356016-submitter@bugs.debian.org
Subject: chpst: setting of multiple groups using -u is broken
Date: Mon, 13 Mar 2006 09:22:03 +0100
[Message part 1 (text/plain, inline)]
Hi,

the attached patch fixes all warnings that occurred on my unstable
system. This also includes a fix for the setgroups() flaw in chpst.

Regards,
Tino
[fix_warnings_vs_1.3.3.patch (text/plain, attachment)]

Tags added: patch Request was from Tino Keitel <tino.keitel@gmx.de> to control@bugs.debian.org. (full text, mbox, link).


Changed Bug title. Request was from Tino Keitel <tino.keitel@gmx.de> to control@bugs.debian.org. (full text, mbox, link).


Message sent on to Tino Keitel <tino.keitel@web.de>:
Bug#356016. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#356016; Package runit. (full text, mbox, link).


Acknowledgement sent to 356016@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (full text, mbox, link).


Message #22 received at 356016@bugs.debian.org (full text, mbox, reply):

From: Gerrit Pape <pape@smarden.org>
To: Tino Keitel <tino.keitel@gmx.de>, 356016@bugs.debian.org
Subject: Re: Bug#356016: chpst: setting of multiple groups using -u is broken
Date: Mon, 13 Mar 2006 08:38:04 +0000
tags 356016 + pending
quit

On Mon, Mar 13, 2006 at 09:22:03AM +0100, Tino Keitel wrote:
> the attached patch fixes all warnings that occurred on my unstable
> system. This also includes a fix for the setgroups() flaw in chpst.

Thanks Tino!, I'll release a version with the fix soon.

Regards, Gerrit.



Tags added: pending Request was from Gerrit Pape <pape@smarden.org> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Gerrit Pape <pape@smarden.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Tino Keitel <tino.keitel@web.de>:
Bug acknowledged by developer. (full text, mbox, link).


Message #29 received at 356016-close@bugs.debian.org (full text, mbox, reply):

From: Gerrit Pape <pape@smarden.org>
To: 356016-close@bugs.debian.org
Subject: Bug#356016: fixed in runit 1.4.1-1
Date: Mon, 20 Mar 2006 14:34:12 -0800
Source: runit
Source-Version: 1.4.1-1

We believe that the bug you reported is fixed in the latest version of
runit, which is due to be installed in the Debian FTP archive:

runit_1.4.1-1.diff.gz
  to pool/main/r/runit/runit_1.4.1-1.diff.gz
runit_1.4.1-1.dsc
  to pool/main/r/runit/runit_1.4.1-1.dsc
runit_1.4.1-1_i386.deb
  to pool/main/r/runit/runit_1.4.1-1_i386.deb
runit_1.4.1.orig.tar.gz
  to pool/main/r/runit/runit_1.4.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 356016@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <pape@smarden.org> (supplier of updated runit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 20 Mar 2006 19:34:34 +0000
Source: runit
Binary: runit
Architecture: source i386
Version: 1.4.1-1
Distribution: unstable
Urgency: low
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Gerrit Pape <pape@smarden.org>
Description: 
 runit      - a UNIX init scheme with service supervision
Closes: 356016
Changes: 
 runit (1.4.1-1) unstable; urgency=low
 .
   * new upstream version.
     * fixes setting of multiple groups with dietlibc (thx Tino Keitel,
       closes: #356016).
   * debian/rules: no longer install the runsvctrl, runsvstat, svwaitdown,
     svwaitup programsi an man pages, use sv instead; move getty-5 service
     directory to /etc/sv/getty-5/; move /var/run/getty-5/ to
     /var/run/sv.getty-5/.
   * debian/runit.conffiles: adapt.
   * debian/runit.preinst, debian/runit.postinst: move conffiles, preserve
     user changes.
Files: 
 1c937584de66d48f9d9e9505eb467947 628 admin optional runit_1.4.1-1.dsc
 00c52272eddab7a8cba5dac128dc79c0 102958 admin optional runit_1.4.1.orig.tar.gz
 bfdd3a854282d0fdf174e4d72d39a858 8328 admin optional runit_1.4.1-1.diff.gz
 2d0d628e7e3183f72aef25e6b6872e66 100108 admin optional runit_1.4.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEHwlAGJoyQbxwpv8RAjQAAJ4/zMzSEQOG/34sqiRrTftRKXkiUACeMksr
Vlj54nwh2O3mVEzN1vybuBM=
=9IFQ
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 17:36:14 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 00:35:34 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.