Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly

[Steve Grubb <sgrubb () redhat com>]

On Thursday, January 24, 2013 05:53:38 PM Kurt Seifried wrote:
> So again, if you know of a way to exploit this please let us know,
> otherwise we will continue to consider this a security hardening issue
> and not a security vulnerability.

The way these supplemental group issues work is that depending on the groups 
file, the daemon may try to change to user/group "nobody", but retains group 
root. This means that any file with group root write privs could be 
replaced/altered. My experience is that distros have enough files that 
permissions are wrong on something, somewhere. Its just a matter of finding it.

find / -type f -perm -00020 -printf "%-60p %g\t%M\n" 2>/dev/null

So, it boils down to the problem isn't a vulnerability by itself. However, 
should a _real_ vulnerability be found in the program, the CVSS score would be 
higher because the program has CWE-250.

-Steve