Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

switch_user_group(): rpmlint reports call to setgroups before setuid #32

Open
jfkw opened this issue Oct 24, 2018 · 3 comments
Open

switch_user_group(): rpmlint reports call to setgroups before setuid #32

jfkw opened this issue Oct 24, 2018 · 3 comments
Assignees
@ogham

Comments

@jfkw
Copy link

jfkw commented Oct 24, 2018

switch_user_group(): rpmlint reports call to setgroups before setuid:

Building coreos-metadata-3.0.1, Crate users is pulled in via dependency crate update-ssh-keys-0.3.0. rpmlint reports the warning:

RPMLINT report:
===============
coreos-metadata.x86_64:
W: missing-call-to-setgroups-before-setuid /usr/bin/coreos-metadata
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this means it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.

The warning may not indicate an actual problem, but it would be helpful to eliminate the warning. Upstream https://github.com/coreos/update-ssh-keys and https://github.com/coreos/coreos-metadata have been notified via coreos/afterburn#118.

Per @lucab discussion in that issue:

The warning is related to switch_user_group in the users crate (all versions):

rust-users/src/switch.rs

Lines 134 to 143 in 15af157

pub fn switch_user_group(uid: uid_t, gid: gid_t) -> IOResult<SwitchUserGuard> {
let current_state = SwitchUserGuard {
uid: get_effective_uid(),
gid: get_effective_gid(),
};
try!(set_effective_gid(gid));
try!(set_effective_uid(uid));
Ok(current_state)
}

We are calling that in update-ssh-keys: https://github.com/coreos/update-ssh-keys/blob/v0.3.0/src/lib.rs#L108

In our specific case I think this is not a security bug. We are calling that method in order to align user/group on file creation only, not to drop privileges for the process (those are reset when the guard value is dropped at the end of the function).
@ogham ogham self-assigned this Nov 26, 2018
@ogham
Copy link
Owner

ogham commented Nov 26, 2018

Interesting! I think you’re right in saying this doesn’t affect your case, but rust-users is a general library and someone else is bound to run into the same problem eventually. Also it looks like doing the Rust equivalent of setgroups(0, NULL); is enough to make the warning go away.

@lucab
Copy link

lucab commented Nov 27, 2018

@ogham if you are going that route, it looks like the guard should record getgroups state before resetting groups and recover them back on drop.

@ogham
Copy link
Owner

ogham commented Mar 16, 2019

This doesn’t go all the way to solving the problem, but I’ve changed the code to setgid before setuid in f1b9902.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ogham ogham

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jfkw @lucab @ogham