As reported on the oss-security mailing list [1] the arpwatch-drop.patch as included in Red Hat arpwatch packages does not properly drop capabilities when changing uid/gid. It calls initgroups() as: + if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 || + setuid(pw->pw_uid) != 0 ) However in this case, the NULL results in group 0 being added to the supplementary groups list. [1] http://www.openwall.com/lists/oss-security/2012/05/24/12
Oh, this does not affect upstream arpwatch.
There was an additional mention of a tcpdump patch having this same problem: http://www.openwall.com/lists/oss-security/2012/05/25/2 (patch: http://users.jyu.fi/~mesrik/pkg/tcpdump/tcpdump-3.7.1-droproot2.patch), but upon looking at tcpdump in RHEL and Fedora, we are using: if (initgroups(pw->pw_name, pw->pw_gid) != 0 || (which looks to be upstream-based, and would be ok).
Created arpwatch tracking bugs for this issue Affects: fedora-all [bug 828436]
arpwatch-2.1a15-20.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
arpwatch-2.1a15-16.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
arpwatch-2.1a15-18.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.