Skip to content
This repository has been archived by the owner on May 4, 2018. It is now read-only.

rpmlint warning: missing-call-to-setgroups-before-setuid #1093

Closed
daxim opened this issue Jan 31, 2014 · 7 comments
Closed

rpmlint warning: missing-call-to-setgroups-before-setuid #1093

daxim opened this issue Jan 31, 2014 · 7 comments
Assignees
@saghul

Comments

@daxim
Copy link

daxim commented Jan 31, 2014

When packaging libuv-0.11.19 on openSUSE 13.1, rpmlint reports the warning:

libuv11.x86_64: W: missing-call-to-setgroups-before-setuid /usr/lib64/libuv.so.11.0.0
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.

Is this warning legimitate or bogus? If the former, that should be fixed in the libuv source code. If the latter, I can suppress the warning in the specfile.
@Sannis
Copy link
Contributor

Sannis commented Feb 1, 2014

@daxim are you plan to deploy that rpm to devel:languages:nodejs or some other channel on openSUSE build services?

@daxim
Copy link
Author

daxim commented Feb 2, 2014

libuv is one of the indirect dependencies of rakudo; I plan to submit it to devel:languages:parrot.

@bnoordhuis
Copy link
Contributor

I came here to report this as a bug. Yes, this is a potential security issue that needs to be addressed.

(EDIT: Another thing that libuv should do on Linux is drop some or all capabilities.)

/cc @indutny

@bnoordhuis bnoordhuis mentioned this issue Feb 8, 2014
Merged
@saghul saghul mentioned this issue Feb 10, 2014
Closed
saghul added a commit that referenced this issue Feb 10, 2014
@saghul
unix: call setgoups before calling setuid/setgid
66ab389 
Partial fix for #1093
@saghul saghul mentioned this issue Feb 10, 2014
Open
@saghul
Copy link
Contributor

saghul commented Feb 10, 2014

Landed a fix for this warning in 66ab389. We should also drop some (or all) capabilities on Linux, I created #1106 for that.

@saghul saghul closed this as completed Feb 10, 2014
@saghul
Copy link
Contributor

saghul commented Aug 18, 2015

On 08/18/2015 09:57, Lubomir Rintel wrote:

FWIW this patch is incorrect. With size of 0, it doesn't set anything:

If size is zero, list is not modified, but the total number of
supplementary group IDs for the process is returned. This allows the
caller to determine the size of a dynamically allocated list to be
used in a further call to getgroups().

My understanding is that what you quoted applies to getgroups, not
setgroups, which is what we are using here. Can you point me to another
resource stating this is incorrect? I'm surprised, because many eyes saw
this patch, as we had to issue a CVE, and I'd hate it if it was wrong
after all. Thanks!

@lkundrak
Copy link

@saghul sorry for the noise; I read the manual incorrect. The paragraph actually referred to getgroups().

Need more coffee.

Sorry again.

@saghul
Copy link
Contributor

saghul commented Aug 18, 2015

No problem!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@saghul saghul

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Sannis @lkundrak @daxim @bnoordhuis @saghul