The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #12457

Real gid always present in supplementary groups

Added by Daniel Pittman about 2 years ago. Updated about 2 years ago.

Status:ClosedStart date:02/06/2012
Priority:NormalDue date:
Assignee:Dominic Maraglia% Done:

0%

Category:-
Target version:2.7.11
Affected Puppet version: Branch:https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

1a. Real gid always present in supplementary groups

In Puppet::Util::SUIDManager, Puppet tries to re-init the supplementary groups in the “initgroups” method. At lib/puppet/util/suidmanager.rb:148, it reads:

Process.initgroups(Etc.getpwuid(user).name, Process.gid)

Since the real gid is probably root, this always adds the gid “0” to the list of supplementary groups for the process as per this strace for a change to my user account (with 7 supplementary groups):

setgroups(8, [0, 10, 14, 18, 54, 1002, 1004, 474]) = 0

This method is called by SUIDManager’s change_user method, which is called in critical places such as lib/puppet/util.rb:308 in execute_posix (as used by lots of things including Exec resources).

1b. Fixing

Fixed in the attached patch by supplying the user’s primary gid instead.

History

#1 Updated by Daniel Pittman about 2 years ago

  • Branch set to https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security

https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security should have the patch from Dominic split apart, tests added, and ready to go for 2.6.x

#2 Updated by Jason McKerr about 2 years ago

  • Assignee changed from Jason McKerr to Deepak Giridharagopal

#4 Updated by Matthaus Owens about 2 years ago

  • Status changed from Accepted to Closed
  • Target version set to 2.7.11
  • Private changed from Yes to No

Released in 2.6.14, 2.7.11

Also available in: Atom PDF