Relinquish supplementary groups when dropping privileges by setgid/setuid

[ingvarha]

"The CERT C Secure Coding Standard" advices to explicit relinquish supplementary groups when dropping privileges by setgid/setuid. This is discussed for example at http://ow.ly/OpPFH.

I'll make a pull request with a simple patch for this, byt just doing setgroups(0, NULL)

Ingvar

[lkarsten]

Added in ef25784. Thanks!

[ingvarha]

In the change in beta3, setgroups is only called before setgid. It should also be called before setuid. Let's say there is a group "system" which gives extra privileges. A confused sysadmin has added the root user to that group. If hitch is called with --user, but not --group. setgroups will not be called. hitch will start, setuid to the new user, but will keep the extra group "system", and keep extra privileges. Or am I wrong?

There is something fishy going on with the groups anyhow, wich might or might not be related. Consider the following:

[ingvar@lardal ~]$ hitch-openssl example.com.pem &
[1] 15268
20150619T065530.031443 [15268] {core} Using OpenSSL version 100010bf.
20150619T065530.032247 [15268] {core} Listening on 0.0.0.0:8443
20150619T065530.032336 [15268] {core} Listening on [::]:8443
[ingvar@lardal ~]$ 20150619T065530.037169 [15268] {core} Note: no DH parameters found in example.com.pem
20150619T065530.037838 [15275] {core} Process 0 online
20150619T065530.038080 [15275] {core} Successfully attached to CPU #0

[ingvar@lardal ~]$ ps -o pid,uid,euid,gid,egid,fgid -p pgrep hitch-openssl
PID UID EUID GID EGID FGID
15268 1000 1000 1000 1000 1000
15275 1000 1000 1000 1000 1000
[ingvar@lardal ~]$ kill %1
20150619T065542.975235 [15268] {core} Received signal 15, shutting down.
[1]+ Done hitch-openssl example.com.pem

Here we see hitch get effective user id and group id correctly. Now, try to run it with user/group specified:

[ingvar@lardal ~]$ sudo hitch-openssl -u hitch -g hitch example.com.pem &
[1] 15362
[ingvar@lardal ~]$ 20150619T065736.124121 [15369] {core} Using OpenSSL version 100010bf.
20150619T065736.124518 [15369] {core} Listening on 0.0.0.0:8443
20150619T065736.124608 [15369] {core} Listening on [::]:8443
20150619T065736.127768 [15369] {core} Note: no DH parameters found in example.com.pem
20150619T065736.128243 [15370] {core} Process 0 online
20150619T065736.128421 [15370] {core} Successfully attached to CPU #0

[ingvar@lardal ~]$ ps -o pid,uid,euid,gid,egid,fgid -p pgrep hitch-openssl
PID UID EUID GID EGID FGID
15369 980 980 0 0 0
15370 980 980 0 0 0
[ingvar@lardal ~]$ sudo kill 15362
20150619T065753.897171 [15369] {core} Received signal 15, shutting down.
[1]+ Done sudo hitch-openssl -u hitch -g hitch example.com.pem

So, the process is still running with effective user 0, that is root??!?

Also, in beta3, the man page does not mention -g | --group, though the binary happily accepts that config.

Ingvar

[ingvarha]

A working patch that at least sets the correct gid here, please apply: http://users.linpro.no/ingvar/varnish/hitch-1.0.0-beta3.setgroup.patch

Ingvar

[lkarsten]

Hi, and thanks for following up on this.

From what I can see, your output shows the process running with EUID==980, which I assume is your hitch user.

I've added your patch for setgroups(), and here is new output for comparing with:

root     10433  5022  0 18:51 pts/0    00:00:00 sudo ./hitch-openssl --user=hitch --group=hitch /etc/hitch/testcert.pem
hitch    11600 10433  0 18:51 pts/0    00:00:00 ./hitch-openssl --user=hitch --group=hitch /etc/hitch/testcert.pem
hitch    11602 11600  0 18:51 pts/0    00:00:00 ./hitch-openssl --user=hitch --group=hitch /etc/hitch/testcert.pem

lkarsten@IMMER ~> ps -o pid,uid,euid,gid,egid,fgid -p 11600
  PID   UID  EUID   GID  EGID  FGID
11600   127   127   139   139   139
lkarsten@IMMER ~> id hitch
uid=127(hitch) gid=139(hitch) grupper=139(hitch),20(dialout)

(yes, the parent process is supposed to run as root. it does not handle any connections.)