Bug 903303
Summary: | haproxy: Fails to properly drop supplementary groups after setuid / setgid calls | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | haproxy | Assignee: | Ryan O'Hara <rohara> |
Status: | CLOSED ERRATA | QA Contact: | Brandon Perkins <bperkins> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4 | CC: | djansa, lnovich, mnovacek, robinlee.sysu, rohara |
Target Milestone: | rc | Keywords: | OtherQA |
Target Release: | 6.5 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://www.openwall.com/lists/oss-security/2013/01/23/7 | ||
Whiteboard: | |||
Fixed In Version: | haproxy-1.4.24-2.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 903293 | Environment: | |
Last Closed: | 2013-11-21 11:27:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 903293, 903306, 903307, 947987 | ||
Bug Blocks: | 883504, 903295, 903301 |
Description
Jan Lieskovsky
2013-01-23 16:52:20 UTC
This will not be fixed in EPEL6 since haproxy will be TP in RHEL6.4. Since haproxy will be retired in EPEL when it goes TP in RHEL6.4, I'm moving this to RHEL6.5. Upstream version 1.4.24 contains the fix for this, so this is resolved in RHEL6.5 as part of the rebase (rhbz#947987). I have verified that the privileges are properly dropped for haproxy-1.4.24-2.el6.x86_64: BEFORE THE PATCH: ================= # rpm -q haproxy haproxy-1.4.22-3.el6.x86_64 # service haproxy start Starting haproxy: [ OK ] # ps axf -o pid,user,group,command | grep hapr 4661 root root \_ grep hapr 4602 haproxy haproxy /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid # grep Group /proc/4602/status Groups: 0 AFTER THE PATCH: ================ # rpm -q haproxy haproxy-1.4.24-2.el6.x86_64 # service haproxy start Starting haproxy: [ OK ] # ps a -o pid,user,group,command | grep haproxy 1196 root root grep hapr 31712 haproxy haproxy haproxy -f /etc/haproxy/haproxy.cfg -d -V # grep Group /proc/31712/status Groups: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1619.html |