Florian Weimer of the Red Hat Product Security Team reported that certain functions in Condor (my_popenv_impl and my_spawnv in src/condor_utils/my_popen.cpp) did not check the return value of setuid and similar function calls: * euid = geteuid(); * egid = getegid(); * seteuid( 0 ); * setgroups( 1, &egid ); * setgid( egid ); * setuid( euid ); As a result, the subprocess could possibly be created with root privileges instead of those of the intended user.
Sorry, I had missed your question. See my last comment on the original bug: I tried to come up with a scenario in which a UID transition does actually occur, and failed. I don't think anymore this is a security issue. One of the callers, privsep_popen, is dead code. The other paths do not specify a UID change, so the code just tries to adjust the effective user/group IDs. This does not appear to be necessary for the my_popen(v) call sites in the code base.
Upon further review, it looks as though the only exploitable issue here is this: No checks in ./src/condor_vm-gahp/vmgahp_common.cpp between lines 659 and 662: seteuid( 0 ); setgroups( 1, &egid ); setgid( egid ); setuid( euid ); This code is present in the VMware support, which has been confirmed to not be active in our packages, so the relevant code path cannot be triggered. Our packages use the Xen part only, and that invokes systemCommand with PRIV_ROOT anyways, so there is no privilege escalation to be had.
Statement: Not vulnerable. This issue did not affect the versions of condor as shipped with Red Hat Enterprise MRG as it does not include the vulnerable code (VMware support is not compiled in).
Acknowledgements: This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
This issue has been addressed in following products: MRG for RHEL-5 v. 2 Via RHSA-2012:1278 https://rhn.redhat.com/errata/RHSA-2012-1278.html
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:1281 https://rhn.redhat.com/errata/RHSA-2012-1281.html
This has been resolved in upstream 7.6.10 and 7.8.4: https://lists.cs.wisc.edu/archive/condor-users/2012-September/msg00077.shtml
Git commit for this fix: http://condor-git.cs.wisc.edu/?p=condor.git;a=commitdiff;h=94e84ce4