[Bug 1095670] New: Problem with suid pgms on Leap-15.0
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
Bug ID: 1095670
Summary: Problem with suid pgms on Leap-15.0
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 15.0
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Basesystem
Assignee: bnc-team-screening@forge.provo.novell.com
Reporter: dmarkh@cfl.rr.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
I am upgrading an older SuSE-13.2 box to Leap. I have done a fresh Leap-15.0
install and ported over the source code that we ran on the 13.2 box. It builds
fine but I am having an issue. The program is/has to be an suid pgm. It also
uses fork/execvpe/wait to execute some external scripts. And that is where my
problem lies. The user is a member of several groups but these group
memberships seem to disappear when these external scripts are executed. For
instance the user is a member of the cdrom group so he can eject and work with
a DVD. I have created a simple example script and source for a pgm that
execvpe's that script which shows my problem.
test.sh script:
#!/bin/sh
whoami
id
test.c pgm source:
#define _GNU_SOURCE
#include
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c3
--- Comment #3 from Dr. Werner Fink
POS36-C: "Consequently, it is recommended that a program relinquish supplementary group IDs immediately before relinquishing root privileges." rpmlint warns about a missing-call-to-setgroups-before-setuid.
That is the reason why the setgroup is there: @@ -1277,6 +1278,7 @@ disable_priv_mode () { int e; + setgroups(0, NULL); if (setuid (current_user.uid) < 0) { e = errno; ...maybe the initgroups(3) (g)libc call would be better as this does inherent setgroups(2) with users groups as well. Also it would help if rpmlint would mention initgroups(3) as the better option -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c4
--- Comment #4 from Andrei Borzenkov
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c5
--- Comment #5 from Dr. Werner Fink
Was it ever submitted upstream? Was it rejected? If yes, why?
In any case, upstream or not, this needs documentation. Behavior is entirely undocumented, not even in changelog, and is incompatible with other distributions and upstream.
This was a simple left over done to silent the rpmlint messages for an other bug. I had never added this to changelog as it slipped out. (In reply to Mark Hounschell from comment #0)
I am upgrading an older SuSE-13.2 box to Leap. I have done a fresh Leap-15.0 install and ported over the source code that we ran on the 13.2 box. It builds fine but I am having an issue. The program is/has to be an suid pgm. It also uses fork/execvpe/wait to execute some external scripts. And that is where my problem lies. The user is a member of several groups but these group memberships seem to disappear when these external scripts are executed. For instance the user is a member of the cdrom group so he can eject and work with a DVD. I have created a simple example script and source for a pgm that execvpe's that script which shows my problem.
You might give version of the latest bash in project Base:System a try as here I have replaced the setgroup(2) system call with the initgroup(3) libc call: https://build.opensuse.org/package/binary/download/Base:System/bash/openSUSE... If this works for you I'll submit the fix tu upstream and will see if Chet does accept this. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c6
--- Comment #6 from Mark Hounschell
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c7
--- Comment #7 from Dr. Werner Fink
https://rudin.suse.de:8894/package/binary/download/Base:System/bash/ openSUSE_Leap_15.0/x86_64/bash-4.4-lp150.361.1.x86_64.rpm
This did not work for me. Same results. Did it work for you with the provided test case?
Hmmm ... I see a SIGSEGV due not initialized current_user.user_name ... but
with fixing that I see
abuild@noether:/tmp> cat checkgrp.c
#define _GNU_SOURCE
#include
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c8
--- Comment #8 from Mark Hounschell
Hmmm ... I see a SIGSEGV due not initialized current_user.user_name ... but with >fixing that I see"
I don't see that SIGSEGV. Might I ask what you did to fix that. In any case I double checked, I still loose my group memberships using the rpm you pointed me to. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c9
--- Comment #9 from Dr. Werner Fink
Hmmm ... I see a SIGSEGV due not initialized current_user.user_name ... but with >fixing that I see"
I don't see that SIGSEGV. Might I ask what you did to fix that. In any case I double checked, I still loose my group memberships using the rpm you pointed me to.
You might retry the now latest https://build.opensuse.org/package/binary/download/Base:System/bash/openSUSE... as this includes the fixed version -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c10
--- Comment #10 from Mark Hounschell
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c13
--- Comment #13 from Swamp Workflow Management
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
SMASH SMASH
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c15
Dr. Werner Fink
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
Dario Abatianni
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c18
Dario Abatianni
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
Dr. Werner Fink
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c23
--- Comment #23 from Dr. Werner Fink
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c25
--- Comment #25 from Swamp Workflow Management
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
http://bugzilla.suse.com/show_bug.cgi?id=1095670#c26
--- Comment #26 from Swamp Workflow Management
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=1095670
Swamp Workflow Management
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1095670
Otto Hollmann
participants (2)
-
bugzilla_noreply@novell.com
-
bugzilla_noreply@suse.com