Package: runit Version: 1.3.3-1 Severity: critical Tags: security Justification: root security hole
Hi Gerrit, As I told you during lunch a few weeks ago, the chpst binary in the Sid package of runit behaves buggy regarding multiple groups in the -u parameter: $ strace -s 4096 -f /usr/bin/chpst -u nobody:ipod:nogroup:camera:mythtv/bin/sleep 1 2>&1 | grep setgroups setgroups(4, [1006, 0, 65534, 0]) = 0 The 0 groups are wrong here, so the process gets permissions for the root group where is shouldn't! The correct group IDs look like this: $ grep -E "ipod|nogroup|camera|mythtv" /etc/group nogroup:x:65534: mythtv:x:110:scorpion ipod:x:1006:scorpion camera:x:1009:scorpion A chpst binary built using just "make" on my unstable system (which will be linked against glibc) behaves correctly: $ strace -s 4096 -f src/runit-1.3.3/admin/runit-1.3.3/src/chpst -u nobody:ipod:nogroup:camera:mythtv /bin/sleep 1 2>&1 | grep setgroups setgroups32(4, [1006, 65534, 1009, 110]) = 0 I think the reason is that dietlibc handles the gid_t type as 16 bit on i386. In /usr/include/diet/sys/types.h, I found this: #elif defined(__arm__) || defined(__i386__) || defined(__sparc__) || defined(__s390__) /* make sure __s390x__ hits before __s390__ */ typedef uint16_t dev_t; typedef uint16_t gid_t; Whereas glibc uses 32 bit for gid_t on i386. In chpst, a struct uidgid will be used to build the list for setgroups, and it uses int for the groups: struct uidgid { int uid; int gid[61]; int gids; }; Therefore, on the little endian i386 architecture with dietlibc, the list of 32 bit values supplied by chpst will be threated as a list of 16 bit values in setgroups(), resulting in a 0 on each second list entry. I suggest to use gid_t in the struct uidgid to fix this. Regards, Tino -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15.1 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]