Your message dated Fri, 13 Jan 2017 09:34:11 +0000
with message-id <e1cryfp-0000fa...@fasolo.debian.org>
and subject line Bug#722215: fixed in tinyproxy 1.8.4-1
has caused the Debian Bug report #722215,
regarding Does not drop supplementary groups
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
722215: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=722215
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tinyproxy
Version: 1.8.3-3
Severity: important
Tags: upstream patch
Control: forwarded -1 https://bugzilla.banu.com/show_bug.cgi?id=115

When configured to change to a different user and group after startup
(User and Group configuration directives), tinyproxy does not drop
supplementary groups. These are still inherited from the calling
process. This may lead to a situation where tinyproxy has more access
than expected. At least on Debian systems root shells have "root" as a
supplementary group. This currently leads to the situation where
tinyproxy can read files readable only by the group "root".

The attached patch fixes this by dropping all supplementary groups if
the Group directive is set.

If only the User directive is set, groups are not dropped. This is
inline with the current code that also does not change the primary group
of the process in this case. I'm not sure if that's the behavior an
average user would expect. It might be safer to change to the primary
group of that user in this case and to either also drop supplementary
groups or change to the supplementary groups of this user with the
initgroups function.

The patch adds a new check for the setgroups function as this function
is not part of POSIX.

I also submitted this bug upstream as
https://bugzilla.banu.com/show_bug.cgi?id=115. But it would still be
useful to fix it with a patch in the Debian package until it's fixed
upstream.

Gaudenz

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
>From cb0b7454c17dceb9be7ebb6b5f9e86c2a3389f36 Mon Sep 17 00:00:00 2001
From: Gaudenz Steinlin <gaud...@debian.org>
Date: Mon, 9 Sep 2013 08:33:48 +0200
Subject: [PATCH] Drop supplementary groups

Supplementary groups are inherited from the calling process. Drop all
supplementary groups if the "Group" configuration directive is set to
change to a different user. Otherwise the process may have more rights
than expected.
---
 configure.ac |  2 +-
 src/main.c   | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 303fc7b..377e204 100644
--- a/configure.ac
+++ b/configure.ac
@@ -203,7 +203,7 @@ AC_FUNC_REALLOC
 AC_CHECK_FUNCS([gethostname inet_ntoa memchr memset select socket strcasecmp \
                 strchr strdup strerror strncasecmp strpbrk strstr strtol])
 AC_CHECK_FUNCS([isascii memcpy setrlimit ftruncate regcomp regexec])
-AC_CHECK_FUNCS([strlcpy strlcat])
+AC_CHECK_FUNCS([strlcpy strlcat setgroups])
 
 
 dnl Enable extra warnings
diff --git a/src/main.c b/src/main.c
index a7ae9c7..abb047d 100644
--- a/src/main.c
+++ b/src/main.c
@@ -296,6 +296,16 @@ change_user (const char *program)
                         exit (EX_NOPERM);
                 }
 
+#ifdef HAVE_SETGROUPS
+                /* Drop all supplementary groups, otherwise these are inherited from the calling process */
+                if (setgroups (0, NULL) < 0) {
+                        fprintf (stderr,
+                                 "%s: Unable to drop supplementary groups.\n",
+                                 program);
+                        exit (EX_NOPERM);
+                }
+#endif
+
                 log_message (LOG_INFO, "Now running as group \"%s\".",
                              config.group);
         }
-- 
1.8.4.rc3


--- End Message ---
--- Begin Message ---
Source: tinyproxy
Source-Version: 1.8.4-1

We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 722...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jo...@debian.org> (supplier of updated tinyproxy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 12 Jan 2017 17:47:16 +0100
Source: tinyproxy
Binary: tinyproxy
Architecture: source amd64
Version: 1.8.4-1
Distribution: unstable
Urgency: medium
Maintainer: Ed Boraas <e...@debian.org>
Changed-By: Jordi Mallach <jo...@debian.org>
Description:
 tinyproxy  - Lightweight, non-caching, optionally anonymizing HTTP proxy
Closes: 722215
Changes:
 tinyproxy (1.8.4-1) unstable; urgency=medium
 .
   * New upstream release.
     - Drops supplementary groups on startup (thanks, Gaudenz Steinlin;
       closes: #722215).
   * Update Homepage URL again.
   * Update Vcs-* fields following migration to Git.
   * Bump to debhelper compat v10.
     Remove explicit Build-Depend on dh-autoreconf, now handled by dh.
   * Drop all patches, all merged upstream.
   * Drop no longer needed Build-Deps on bison, flex and libadns1-dev.
   * Call dh_auto_configure instead of configure directly.
   * Replace $(MAKE) call with dh_auto_install.
   * Rewrite copyright in machine-readable format version 1.0.
   * Make $DESC more descriptive in the init script.
   * Make init script source init-functions from lsb-base.
   * Update Standards-Version to 3.9.8.
   * Change /var/run references to /run.
   * Add Michael Adam's OpenPGP key to upstream/signing-key.asc.
   * Update watch file for Github releases, and check PGP signature.
   * Remove obsolete debian/source/options.
   * Add systemd service and tmpfile files.
   * Pass --fail-missing to dh_install.
   * Enable all hardening options.
   * Depend on lsb-base to ensure the utility functions are available.
Checksums-Sha1:
 9f2b12fda6fc1efc3ef3bdaffc917789898680fe 2154 tinyproxy_1.8.4-1.dsc
 2ecc31268b386c282f4c9f4ed53dd9b76f3c3aee 192300 tinyproxy_1.8.4.orig.tar.xz
 ea58944daa705551ed82df72742c5ac6bd42080c 181 tinyproxy_1.8.4.orig.tar.xz.asc
 54edbba38533d6ad93e07afc3b741adba6a2225f 20184 tinyproxy_1.8.4-1.debian.tar.xz
 6df1619e3fe9e61c99f2a01cfe34d41a63cb720d 98336 
tinyproxy-dbgsym_1.8.4-1_amd64.deb
 b60fcaf046928020409970bacdc4f03ef3de770c 5398 tinyproxy_1.8.4-1_amd64.buildinfo
 81f90c9a13209cedc3dd3376eb91982742320fcb 84992 tinyproxy_1.8.4-1_amd64.deb
Checksums-Sha256:
 3bb1312b4e4eaffe2d7c81271fe3b58686b8399e3e23869533e4e8d7ecb1472e 2154 
tinyproxy_1.8.4-1.dsc
 a41f4ddf0243fc517469cf444c8400e1d2edc909794acda7839f1d644e8a5000 192300 
tinyproxy_1.8.4.orig.tar.xz
 2ab516a8a6568162d66081c617c8b9c71ada4a14b789aea02c7d832c18c432cc 181 
tinyproxy_1.8.4.orig.tar.xz.asc
 af03f4c0b2a7e2bb9fe7f7083f52a6d3abd37d905c8bdfbb7efa93516a270634 20184 
tinyproxy_1.8.4-1.debian.tar.xz
 2068bf9014fcea5a45477fb596e3312b259acbdc7530ea07edc7f437770f0b03 98336 
tinyproxy-dbgsym_1.8.4-1_amd64.deb
 01502f60c22cd65f73adbe32d3360503adf16a4c162b65d58b72474847aa5734 5398 
tinyproxy_1.8.4-1_amd64.buildinfo
 7cb47864b533f9ef26b9dcb99f7daf12ca58f31152143f79d9a206edcb1b9e79 84992 
tinyproxy_1.8.4-1_amd64.deb
Files:
 2d0c22fe5a20c4b7f21b4f4c71ef42b6 2154 web optional tinyproxy_1.8.4-1.dsc
 b181e8c78cb31c2bc16b61fcf2425190 192300 web optional 
tinyproxy_1.8.4.orig.tar.xz
 40114246a53ee2be072ece9b5185bf6d 181 web optional 
tinyproxy_1.8.4.orig.tar.xz.asc
 287fcd4363fe5baff0e8e1f29386fc31 20184 web optional 
tinyproxy_1.8.4-1.debian.tar.xz
 f6b0cb3f8deb1fdb3c68a4ce21812390 98336 debug extra 
tinyproxy-dbgsym_1.8.4-1_amd64.deb
 9c692cee48112eb86ff355fa9dbc625c 5398 web optional 
tinyproxy_1.8.4-1_amd64.buildinfo
 7385964f3139a0088ba3746ebc9ef191 84992 web optional tinyproxy_1.8.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE6BdUhsApKYN8KGoWJVAvb8vjywQFAlh4nK4ACgkQJVAvb8vj
ywR6+w/+I7KKRmhwzYjBkgHsiQzIR+/cRlW6jwGzeayisjtMSwTwBQ+rQ7JhJeYz
ZW/mYYuJw69y43uk+M5PSOKlD1lvuhZHrOh9pMwxmi2ujfk1I8DhQe1+hQHjC4mL
Axp3+luVIcRi0cMnJqr97+4xFL/QC026KTsbzYYOT+AbYMruP8DO0NU0Y1l6LcEp
9DRNa+IhRfp7JWVcKP6wYNykJfFRyMchLWwkdU7THtv7TeEoFVddiVAVmqwvyew2
5srFNS641RIGjpS9p13n91XaIBfp8wpEPTPYbROd2JkksbzwK2s74nRTCOtekIZs
01sPK7MPvHP7pliBLpbdfGl5N3dFbsz9bHd+IEmbj5/WB38gC80gJncSoGPJltR8
N7FbsqwzbU5U55GTzmgQd7In7CNQQMRmRQDDIYKCqQEC5mWzguf4B9wjC78PL6p+
g37mnfX4P7/di6VCMsIlxSD1aTT+iUXlQg/xWOne3FHnXFy+UQ82/nj28JtNMsFp
haEMPU8QQP6fkeQgMg2VrJPYFCTNJWlwRE1EqvFG0GnOFcUGCGonKLXriY/qrcEs
2fakRUJviFpMYIpatsVQ1nTPbfmbVEyESoVoPg9MeY/5i4JZE7CMa8UBQlhxZBcG
ANq5QeGeoBtFz9th6eSv45+SpvdF18G63MQskpIp9XIuD6i3v4c=
=+0wh
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to