Bug 903303 - haproxy: Fails to properly drop supplementary groups after setuid / setgid calls
haproxy: Fails to properly drop supplementary groups after setuid / setgid calls
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: haproxy (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 6.5
Assigned To: Ryan O'Hara
Brandon Perkins
http://www.openwall.com/lists/oss-sec...
: OtherQA
Depends On: 903293 903306 903307 947987
Blocks: 883504 903295 903301
  Show dependency treegraph
 
Reported: 2013-01-23 11:52 EST by Jan Lieskovsky
Modified: 2013-11-21 06:27 EST (History)
5 users (show)

See Also:
Fixed In Version: haproxy-1.4.24-2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 903293
Environment:
Last Closed: 2013-11-21 06:27:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-01-23 11:52:20 EST
+++ This bug was initially created as a clone of Bug #903293 +++

Description of problem:
As noted in bug #894626 and in:
  [1] http://www.openwall.com/lists/oss-security/2013/01/23/7

haproxy previously failed to drop supplementary groups properly when trying to drop root privileges.

By itself this problem is not a security flaw, but still serious enough the upstream fix:
  [2] git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3

to be backported into all of the affected versions.

Version-Release number of selected component (if applicable):
haproxy-1.4.22-1.el6

How reproducible:
Always

Steps to Reproduce:
1. See https://bugzilla.redhat.com/show_bug.cgi?id=894626#c0 for further reproducer details
  
Actual results:
Supplementary groups are not dropped properly after setuid / setgid calls.

Expected results:
(All) Supplementary groups should be dropped when dropping root privileges.
Comment 1 Ryan O'Hara 2013-01-23 18:25:09 EST
This will not be fixed in EPEL6 since haproxy will be TP in RHEL6.4.
Comment 2 Ryan O'Hara 2013-01-28 10:48:21 EST
Since haproxy will be retired in EPEL when it goes TP in RHEL6.4, I'm moving this to RHEL6.5.
Comment 10 Ryan O'Hara 2013-07-10 11:12:28 EDT
Upstream version 1.4.24 contains the fix for this, so this is resolved in RHEL6.5 as part of the rebase (rhbz#947987).
Comment 12 michal novacek 2013-09-03 04:29:48 EDT
I have verified that the privileges are properly dropped for
haproxy-1.4.24-2.el6.x86_64:

BEFORE THE PATCH:
=================

# rpm -q haproxy
haproxy-1.4.22-3.el6.x86_64

# service haproxy start
Starting haproxy: [  OK  ]

# ps axf -o pid,user,group,command | grep hapr
 4661 root     root              \_ grep hapr
 4602 haproxy  haproxy  /usr/sbin/haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
# grep Group /proc/4602/status 
Groups: 0 


AFTER THE PATCH:
================

# rpm -q haproxy
haproxy-1.4.24-2.el6.x86_64

# service haproxy start
Starting haproxy: [  OK  ]

# ps a -o pid,user,group,command | grep haproxy
 1196 root     root     grep hapr
31712 haproxy  haproxy  haproxy -f /etc/haproxy/haproxy.cfg -d -V

# grep Group /proc/31712/status
Groups:
Comment 13 errata-xmlrpc 2013-11-21 06:27:04 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1619.html

Note You need to log in before you can comment on or make changes to this bug.