The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
Real gid always present in supplementary groups
|Assignee:||Dominic Maraglia||% Done:|
|Affected Puppet version:||Branch:||https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.
1a. Real gid always present in supplementary groups¶
In Puppet::Util::SUIDManager, Puppet tries to re-init the supplementary groups in the “initgroups” method. At lib/puppet/util/suidmanager.rb:148, it reads:
Since the real gid is probably root, this always adds the gid “0” to the list of supplementary groups for the process as per this strace for a change to my user account (with 7 supplementary groups):
setgroups(8, [0, 10, 14, 18, 54, 1002, 1004, 474]) = 0
This method is called by SUIDManager’s change_user method, which is called in critical places such as lib/puppet/util.rb:308 in execute_posix (as used by lots of things including Exec resources).
Fixed in the attached patch by supplying the user’s primary gid instead.
#1 Updated by Daniel Pittman about 2 years ago
- Branch set to https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security
https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security should have the patch from Dominic split apart, tests added, and ready to go for 2.6.x
#3 Updated by Deepak Giridharagopal about 2 years ago
- Assignee changed from Deepak Giridharagopal to Dominic Maraglia