Bug#356016: runit: setting of multiple groups using -u is broken

Thu, 09 Mar 2006 01:03:15 -0800 

Package: runit
Version: 1.3.3-1
Severity: critical
Tags: security
Justification: root security hole

Hi Gerrit,

As I told you during lunch a few weeks ago, the chpst binary in the
Sid package of runit behaves buggy regarding multiple groups in the
-u parameter:

$ strace -s 4096 -f /usr/bin/chpst -u 
nobody:ipod:nogroup:camera:mythtv/bin/sleep 1 2>&1 | grep setgroups

setgroups(4, [1006, 0, 65534, 0])       = 0

The 0 groups are wrong here, so the process gets permissions for the
root group where is shouldn't!

The correct group IDs look like this:

$ grep -E "ipod|nogroup|camera|mythtv" /etc/group
nogroup:x:65534:
mythtv:x:110:scorpion
ipod:x:1006:scorpion
camera:x:1009:scorpion

A chpst binary built using just "make" on my unstable system (which will be
linked against glibc) behaves correctly:

$ strace -s 4096 -f src/runit-1.3.3/admin/runit-1.3.3/src/chpst -u 
nobody:ipod:nogroup:camera:mythtv /bin/sleep 1 2>&1 | grep setgroups

setgroups32(4, [1006, 65534, 1009, 110]) = 0

I think the reason is that dietlibc handles the gid_t type as 16 bit on
i386. In /usr/include/diet/sys/types.h, I found this:

#elif defined(__arm__) || defined(__i386__) || defined(__sparc__) || 
defined(__s390__) /* make sure __s390x__ hits before __s390__ */
    typedef uint16_t dev_t;
    typedef uint16_t gid_t;

Whereas glibc uses 32 bit for gid_t on i386.

In chpst, a struct uidgid will be used to build the list for setgroups,
and it uses int for the groups:

struct uidgid {
  int uid;
  int gid[61];
  int gids;
};

Therefore, on the little endian i386 architecture with dietlibc, the
list of 32 bit values supplied by chpst will be threated as a list of
16 bit values in setgroups(), resulting in a 0 on each second list entry.

I suggest to use gid_t in the struct uidgid to fix this.

Regards,
Tino

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15.1
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to