[Bug 1095670] New: Problem with suid pgms on Leap-15.0
http://bugzilla.suse.com/show_bug.cgi?id=1095670 Bug ID: 1095670 Summary: Problem with suid pgms on Leap-15.0 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: dmarkh@cfl.rr.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I am upgrading an older SuSE-13.2 box to Leap. I have done a fresh Leap-15.0 install and ported over the source code that we ran on the 13.2 box. It builds fine but I am having an issue. The program is/has to be an suid pgm. It also uses fork/execvpe/wait to execute some external scripts. And that is where my problem lies. The user is a member of several groups but these group memberships seem to disappear when these external scripts are executed. For instance the user is a member of the cdrom group so he can eject and work with a DVD. I have created a simple example script and source for a pgm that execvpe's that script which shows my problem. test.sh script: #!/bin/sh whoami id test.c pgm source: #define _GNU_SOURCE #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> int main() { char *path = getenv("PATH"); char pathenv[strlen(path) + sizeof("PATH=")]; sprintf(pathenv, "PATH=%s", path); char *envp[] = {pathenv, NULL}; char *tests[] = {"./test.sh", NULL}; execvpe(tests[0], tests, envp); } #cc test.c #/a.out markh uid=5076(markh) gid=100(users) groups=100(users),19(floppy),200(lcrs),484(tape),485(lp),488(disk),489(dialout),490(cdrom) Then as root: #chown root ./a.out #chgrp root ./a.out #chmod +s ./a.out Then as user #./a.out markh uid=5076(markh) gid=100(users) groups=100(users) Once the pgm is owned by root and suid, I lose all my group memberships for some unknown reason. It is not proper to me. This all works fine on 13.2 but does not on Leap 15 or Leap 42.3. Is there some security setting somewhere that broke this? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c3 --- Comment #3 from Dr. Werner Fink <werner@suse.com> --- (In reply to Jan Ritzerfeld from comment #2)
POS36-C: "Consequently, it is recommended that a program relinquish supplementary group IDs immediately before relinquishing root privileges." rpmlint warns about a missing-call-to-setgroups-before-setuid.
That is the reason why the setgroup is there: @@ -1277,6 +1278,7 @@ disable_priv_mode () { int e; + setgroups(0, NULL); if (setuid (current_user.uid) < 0) { e = errno; ...maybe the initgroups(3) (g)libc call would be better as this does inherent setgroups(2) with users groups as well. Also it would help if rpmlint would mention initgroups(3) as the better option -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c4 --- Comment #4 from Andrei Borzenkov <arvidjaar@gmail.com> --- Was it ever submitted upstream? Was it rejected? If yes, why? In any case, upstream or not, this needs documentation. Behavior is entirely undocumented, not even in changelog, and is incompatible with other distributions and upstream. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c5 --- Comment #5 from Dr. Werner Fink <werner@suse.com> --- (In reply to Andrei Borzenkov from comment #4)
Was it ever submitted upstream? Was it rejected? If yes, why?
In any case, upstream or not, this needs documentation. Behavior is entirely undocumented, not even in changelog, and is incompatible with other distributions and upstream.
This was a simple left over done to silent the rpmlint messages for an other bug. I had never added this to changelog as it slipped out. (In reply to Mark Hounschell from comment #0)
I am upgrading an older SuSE-13.2 box to Leap. I have done a fresh Leap-15.0 install and ported over the source code that we ran on the 13.2 box. It builds fine but I am having an issue. The program is/has to be an suid pgm. It also uses fork/execvpe/wait to execute some external scripts. And that is where my problem lies. The user is a member of several groups but these group memberships seem to disappear when these external scripts are executed. For instance the user is a member of the cdrom group so he can eject and work with a DVD. I have created a simple example script and source for a pgm that execvpe's that script which shows my problem.
You might give version of the latest bash in project Base:System a try as here I have replaced the setgroup(2) system call with the initgroup(3) libc call: https://build.opensuse.org/package/binary/download/Base:System/bash/openSUSE... If this works for you I'll submit the fix tu upstream and will see if Chet does accept this. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c6 --- Comment #6 from Mark Hounschell <dmarkh@cfl.rr.com> --- https://build.opensuse.org/package/binary/download/Base:System/bash/openSUSE... This did not work for me. Same results. Did it work for you with the provided test case? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c7 --- Comment #7 from Dr. Werner Fink <werner@suse.com> --- (In reply to Mark Hounschell from comment #6)
https://rudin.suse.de:8894/package/binary/download/Base:System/bash/ openSUSE_Leap_15.0/x86_64/bash-4.4-lp150.361.1.x86_64.rpm
This did not work for me. Same results. Did it work for you with the provided test case?
Hmmm ... I see a SIGSEGV due not initialized current_user.user_name ... but with fixing that I see abuild@noether:/tmp> cat checkgrp.c #define _GNU_SOURCE #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> int main() { char *path = getenv("PATH"); char pathenv[strlen(path) + sizeof("PATH=")]; sprintf(pathenv, "PATH=%s", path); char *envp[] = {pathenv, NULL}; char *tests[] = {"/tmp/id.sh", NULL}; execvpe(tests[0], tests, envp); } abuild@noether:/tmp> cat id.sh #!/bin/sh whoami id abuild@noether:/tmp> ll total 32 -rw------- 1 root root 101 Jun 4 10:43 .xauthEJxh4h0IyV -rwsr-sr-x 1 root root 16936 Jun 4 10:48 checkgrp -rw-r--r-- 1 abuild abuild 352 Jun 4 10:48 checkgrp.c -rwxr-xr-x 1 abuild abuild 20 Jun 4 10:48 id.sh abuild@noether:/tmp> ./checkgrp abuild uid=399(abuild) gid=399(abuild) groups=399(abuild),488(video),489(tape),495(cdrom),496(audio) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c8 --- Comment #8 from Mark Hounschell <dmarkh@cfl.rr.com> ---
Hmmm ... I see a SIGSEGV due not initialized current_user.user_name ... but with >fixing that I see"
I don't see that SIGSEGV. Might I ask what you did to fix that. In any case I double checked, I still loose my group memberships using the rpm you pointed me to. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c9 --- Comment #9 from Dr. Werner Fink <werner@suse.com> --- (In reply to Mark Hounschell from comment #8)
Hmmm ... I see a SIGSEGV due not initialized current_user.user_name ... but with >fixing that I see"
I don't see that SIGSEGV. Might I ask what you did to fix that. In any case I double checked, I still loose my group memberships using the rpm you pointed me to.
You might retry the now latest https://build.opensuse.org/package/binary/download/Base:System/bash/openSUSE... as this includes the fixed version -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c10 --- Comment #10 from Mark Hounschell <dmarkh@cfl.rr.com> --- Yes, that one seems to work properly for me in my test case and in my application. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c13 --- Comment #13 from Swamp Workflow Management <swamp@suse.de> --- This is an autogenerated message for OBS integration: This bug (1095670) was mentioned in https://build.opensuse.org/request/show/621861 Factory / bash -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| | maint:planned:update -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c15 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #15 from Dr. Werner Fink <werner@suse.com> --- Submit requests running -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 Dario Abatianni <dabatianni@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dabatianni@suse.com Flags| |needinfo?(werner@suse.com) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c18 Dario Abatianni <dabatianni@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(werner@suse.com) --- Comment #18 from Dario Abatianni <dabatianni@suse.com> --- Thanks for the response! My approach is very similar to comment #7 and looks like this, the output is the same before the patch and after the patch: -------------------------- # version numbers after installing # ReviewRequestID: SUSE:Maintenance:7803:171261 # Repository: http://download.suse.de/ibs/SUSE:/Maintenance:/7803/ bragi:~ # rpm -q bash bash-4.4-9.5.2.x86_64 bragi:~ # bash --version GNU bash, version 4.4.23(1)-release (x86_64-suse-linux-gnu) Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. -------------------------- # create the helper shell script and make it executable: bragi:~ # cat > /tmp/reproducer_1095670.sh <<EOF #!/bin/bash whoami id EOF bragi:~ # chmod +x /tmp/reproducer_1095670.sh # create the reproducer, but don'T set it to SUID yet: bragi:~ # cat > /tmp/reproducer_1095670.c << EOF #define _GNU_SOURCE #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> int main() { char *path = getenv("PATH"); char pathenv[strlen(path) + sizeof("PATH=")]; sprintf(pathenv, "PATH=%s", path); char *envp[] = {pathenv, NULL}; char *tests[] = {"/tmp/reproducer_1095670.sh", NULL}; execvpe(tests[0], tests, envp); } EOF bragi:~ # gcc -o /tmp/reproducer_1095670 /tmp/reproducer_1095670.c # switch to the user account (same output when I log in via ssh) bragi:~ # su - dabatianni dabatianni@bragi:~> /tmp/reproducer_1095670 dabatianni uid=16676(dabatianni) gid=50(suse) groups=50(suse),22224(vpn2) # At this point the extra group vpn2 is still there dabatianni@s390vsl083:~> logout # SUID the reproducer and try again: bragi:~ # chmod +s /tmp/reproducer_1095670 # switch to the user account (same output when I log in via ssh) bragi:~ # su - dabatianni dabatianni@bragi:~> /tmp/reproducer_1095670 dabatianni uid=16676(dabatianni) gid=50(suse) groups=50(suse) # after SUIDing the binary the extra group vpn2 is gone when using the # reproducer, but it's still there when regularly running id: dabatianni@bragi:~> id uid=16676(dabatianni) gid=50(suse) groups=50(suse),22224(vpn2) -------------------------- Please let me know if you need any more information or if I can help in any other way! Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(werner@suse.com) | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c23 --- Comment #23 from Dr. Werner Fink <werner@suse.com> --- Try SR#173129 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c25 --- Comment #25 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2018:3079-1: An update that has three recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1095661,1095670,1100488 CVE References: Sources used: SUSE Linux Enterprise Module for Basesystem 15 (src): bash-4.4-9.7.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 http://bugzilla.suse.com/show_bug.cgi?id=1095670#c26 --- Comment #26 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2018:3139-1: An update that has three recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1095661,1095670,1100488 CVE References: Sources used: openSUSE Leap 15.0 (src): bash-4.4-lp150.8.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1095670 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| maint:planned:update | -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1095670 Otto Hollmann <otto.hollmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.suse.com/s | |how_bug.cgi?id=1192785 -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com