Bug 722529 - Remove root's supplemental groups
Remove root's supplemental groups
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: setup (Show other bugs)
rawhide
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Ondrej Vasik
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: 724007
  Show dependency treegraph
 
Reported: 2011-07-15 11:12 EDT by Steve Grubb
Modified: 2011-08-23 16:24 EDT (History)
1 user (show)

See Also:
Fixed In Version: setup-2.8.36-1.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 724007 (view as bug list)
Environment:
Last Closed: 2011-08-23 16:24:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2011-07-15 11:12:47 EDT
Description of problem:
The root account has: root, bin, sys, daemon, disk, and wheel as supplemental groups. This means that if code does this:
if (setgid(id) || setuid(id) ) {
    exit(1);
}

it possibly leaves supplemental groups attached to the process. Because most code does not yet use file system based capabilities, the vast majority of code that can do this sequence is the root user - which has supplemental groups. Any other exploitable condition in such programs means the supplemental groups make the attack more severe. One simple solution is to remove root from all entries in the 4th column of /etc/group.

It should be noted that setuid root programs are immune to this problem because initgroups is not called which would have added the supplemental groups.

Additional info:
usermod -G "" root
can be used after upgrade to produce the same results.
Comment 1 Ondrej Vasik 2011-07-15 13:36:12 EDT
Thanks for the report and suggestion, Steve ... this is probably impossible to fix this (other than some post lua scriptlet) by setup update - only by clean installation. Do you plan to report this against RHEL-6 as well?
The only think I'm wondering about is the historical purpose of these root's suplementary groups. Are the reasons for these groups completely gone and simple removal safe ?
Comment 2 Steve Grubb 2011-07-15 14:46:43 EDT
I put this in the same category as when we changed the default password hash to sha512. No nice way to fix old installs, so we have release notes that tell admins what to do (that's why I put the usermod instructions above). New installs are correct from the beginning.

I've heard other distributions don't have supplemental groups for root by default. I don't run other distros, but I heard it from a very reliable source. As best I can determine, they were like this from the dawn of time no one ever considered it. Bill said this goes back at least to RHL 5.2. Which probably predates CAP_DAC_OVERRIDE. At this point, capabilities should let root go wherever it needs to go.
Comment 4 Steve Grubb 2011-07-16 08:29:34 EDT
I looked at a Debian livecd. It has no supplemental groups at all except one called user to grant access to multimedia devices it seems. Maybe we should clean up more than just root. Bin, daemon, adm probably do not need to be in each other's groups, for example. And groups do not need their own group as a supplemental group. For example, lp has lp in its supplemental groups. This is unneccesary. I think there is one or two more like this.
Comment 9 Fedora Update System 2011-08-16 10:13:53 EDT
setup-2.8.36-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/setup-2.8.36-1.fc16
Comment 10 Tomas Hoger 2011-08-16 10:43:01 EDT
(In reply to comment #9)
> setup-2.8.36-1.fc16 has been submitted as an update for Fedora 16.
> https://admin.fedoraproject.org/updates/setup-2.8.36-1.fc16

This does not really fall into a category we call security update, imo.
Comment 11 Ondrej Vasik 2011-08-16 15:19:26 EDT
I filed the update only as a bugfix update, probably bodhi changed this automatically based on the Security keyword, I don't know ... anyway, as it is before f16 beta, it doesn't really matter that much...
Comment 12 Fedora Update System 2011-08-16 16:07:55 EDT
Package setup-2.8.36-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing setup-2.8.36-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/setup-2.8.36-1.fc16
then log in and leave karma (feedback).
Comment 13 Tomas Hoger 2011-08-17 03:00:53 EDT
(In reply to comment #11)
> I filed the update only as a bugfix update, probably bodhi changed this
> automatically based on the Security keyword, I don't know ... anyway, as it is
> before f16 beta, it doesn't really matter that much...

Ah, bodhi magic, right...
Comment 14 Fedora Update System 2011-08-23 16:24:35 EDT
setup-2.8.36-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.