mailing list archives
Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly
From: Steve Grubb <sgrubb () redhat com>
Date: Thu, 24 Jan 2013 22:10:52 -0500
On Thursday, January 24, 2013 05:53:38 PM Kurt Seifried wrote:
So again, if you know of a way to exploit this please let us know,
otherwise we will continue to consider this a security hardening issue
and not a security vulnerability.
The way these supplemental group issues work is that depending on the groups
file, the daemon may try to change to user/group "nobody", but retains group
root. This means that any file with group root write privs could be
replaced/altered. My experience is that distros have enough files that
permissions are wrong on something, somewhere. Its just a matter of finding it.
find / -type f -perm -00020 -printf "%-60p %g\t%M\n" 2>/dev/null
So, it boils down to the problem isn't a vulnerability by itself. However,
should a _real_ vulnerability be found in the program, the CVSS score would be
higher because the program has CWE-250.