Red Hat Bugzilla – Bug 23195
portmap runs with group root!
Last modified: 2007-04-18 12:30:28 EDT
I notice that portmap runs with the following credentials:
The user is great - the dubious "bin" user is no longer used.
But the group is a cause for concern, because I would be very unsurprised
to see group root lead to trivial full user root compromise (the occasional
dangerous thing is left writable by group root, separate bugs to be filed).
Can we please use a different group. Ideally a new group "rpc" (if it does
already exist). If that's too much hassle, something like "nobody" is a lot
Fixed in portmap-4.0-30; just required a couple of setgid() before the
BETA 3: portmap correctly runs as group "rpc".
By the way, switching away from user "bin" running portmap was
a very cool move, because lots of binaries owned by user "bin"
could have led to easy root access.
Just noticed that portmap is running with a bunch of
supplementary groups, including the _extremely_
dangerous disk group.
This represents a severe regression since RH6.x,
because a portmapper hole may now be trivially
leveraged to a root shell.
Bill - probably just a missing initgroups() call - could
you nail this before RH7.1 release?
I'll fix it.
Hmm... how do you actually see it's a member of that group?
I get this from /proc/pid:
[root@xyzzy2 607]# cat status
(32 being the rpmc group)
Ah. It doesn't happen by default, only if you restart it in a root login shell -
it inherits the groups.
Fixed in portmap-4.0-35, which you can find at http://people.redhat.com/teg/