Bug 903303

Summary: haproxy: Fails to properly drop supplementary groups after setuid / setgid calls
Product: Red Hat Enterprise Linux 6 Reporter: Jan Lieskovsky <jlieskov>
Component: haproxyAssignee: Ryan O'Hara <rohara>
Status: CLOSED ERRATA QA Contact: Brandon Perkins <bperkins>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: djansa, lnovich, mnovacek, robinlee.sysu, rohara
Target Milestone: rcKeywords: OtherQA
Target Release: 6.5   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.openwall.com/lists/oss-security/2013/01/23/7
Whiteboard:
Fixed In Version: haproxy-1.4.24-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 903293 Environment:
Last Closed: 2013-11-21 11:27:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 903293, 903306, 903307, 947987    
Bug Blocks: 883504, 903295, 903301    

Description Jan Lieskovsky 2013-01-23 16:52:20 UTC 
+++ This bug was initially created as a clone of Bug #903293 +++

Description of problem:
As noted in bug #894626 and in:
  [1] http://www.openwall.com/lists/oss-security/2013/01/23/7

haproxy previously failed to drop supplementary groups properly when trying to drop root privileges.

By itself this problem is not a security flaw, but still serious enough the upstream fix:
  [2] git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3

to be backported into all of the affected versions.

Version-Release number of selected component (if applicable):
haproxy-1.4.22-1.el6

How reproducible:
Always

Steps to Reproduce:
1. See https://bugzilla.redhat.com/show_bug.cgi?id=894626#c0 for further reproducer details
  
Actual results:
Supplementary groups are not dropped properly after setuid / setgid calls.

Expected results:
(All) Supplementary groups should be dropped when dropping root privileges.
Comment 1 Ryan O'Hara 2013-01-23 23:25:09 UTC 
This will not be fixed in EPEL6 since haproxy will be TP in RHEL6.4.
Comment 2 Ryan O'Hara 2013-01-28 15:48:21 UTC 
Since haproxy will be retired in EPEL when it goes TP in RHEL6.4, I'm moving this to RHEL6.5.
Comment 10 Ryan O'Hara 2013-07-10 15:12:28 UTC 
Upstream version 1.4.24 contains the fix for this, so this is resolved in RHEL6.5 as part of the rebase (rhbz#947987).
Comment 12 michal novacek 2013-09-03 08:29:48 UTC 
I have verified that the privileges are properly dropped for
haproxy-1.4.24-2.el6.x86_64:

BEFORE THE PATCH:
=================

# rpm -q haproxy
haproxy-1.4.22-3.el6.x86_64

# service haproxy start
Starting haproxy: [  OK  ]

# ps axf -o pid,user,group,command | grep hapr
 4661 root     root              \_ grep hapr
 4602 haproxy  haproxy  /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
# grep Group /proc/4602/status 
Groups: 0 


AFTER THE PATCH:
================

# rpm -q haproxy
haproxy-1.4.24-2.el6.x86_64

# service haproxy start
Starting haproxy: [  OK  ]

# ps a -o pid,user,group,command | grep haproxy
 1196 root     root     grep hapr
31712 haproxy  haproxy  haproxy -f /etc/haproxy/haproxy.cfg -d -V

# grep Group /proc/31712/status
Groups:
Comment 13 errata-xmlrpc 2013-11-21 11:27:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1619.html