The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #12459

Permanent uid change doesn't drop supplementary groups

Added by Anonymous over 2 years ago. Updated over 2 years ago.

Status:ClosedStart date:02/06/2012
Priority:NormalDue date:
Assignee:Dominic Maraglia% Done:

0%

Category:-
Target version:-
Affected Puppet version: Branch:https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

3a. Permanent uid change doesn’t drop supplementary groups

When execute_posix or similar forks and calls SUIDManager’s change_user method, it sets permanent=true to change the real uid instead of the euid (lib/puppet/util.rb:307).

In change_user, a different code path is taken when a permanent change is made, and so the supplementary groups aren’t dropped (lib/puppet/util/suidmanager.rb:121), even if the primary group is set.

3b. Demo

This is really easy:

cat setgid.pp

exec { “/usr/bin/id”: user => “nobody”, group => “nobody”, logoutput => true, }

puppet apply setgid.pp

notice: /Stage[main]//Exec[/usr/bin/id]/returns: uid=99(nobody) gid=99(nobody) groups=99(nobody),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),1004(sshusers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I haven’t produced a patch for this last problem, though it should be easy enough to fix.

History

#1 Updated by Anonymous over 2 years ago

  • Branch set to https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security

https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security should have a fix for this. It passes the logic check, and has tests, but I have not finished validating that it actually resolves the global problem. It should.

#2 Updated by Jason McKerr over 2 years ago

  • Assignee set to Deepak Giridharagopal

#4 Updated by Matthaus Owens over 2 years ago

  • Status changed from Accepted to Closed
  • Private changed from Yes to No

Released in 2.6.14, 2.7.11

Also available in: Atom PDF