+++ This bug was initially created as a clone of Bug #903293 +++ Description of problem: As noted in bug #894626 and in: [1] http://www.openwall.com/lists/oss-security/2013/01/23/7 haproxy previously failed to drop supplementary groups properly when trying to drop root privileges. By itself this problem is not a security flaw, but still serious enough the upstream fix: [2] git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3 to be backported into all of the affected versions. Version-Release number of selected component (if applicable): haproxy-1.4.19-1.el6_3 How reproducible: Always Steps to Reproduce: 1. See https://bugzilla.redhat.com/show_bug.cgi?id=894626#c0 for further reproducer details Actual results: Supplementary groups are not dropped properly after setuid / setgid calls. Expected results: (All) Supplementary groups should be dropped when dropping root privileges.
Schedule haproxy update when this patch is available upstream.
OpenShift is not exposed to this issue, reducing severity. With a both the system haproxy and a scalable app: [root@ip-10-77-75-81 ~]# ps auxwwwww |grep haproxy haproxy 9205 0.0 0.0 23412 3836 ? Ss 14:18 0:00 /usr/sbin/haproxy -D -f /etc/openshift/port-proxy.cfg -p /var/run/openshift-port-proxy.pid -sf 1839 501 9502 0.0 0.0 16440 1312 ? Ss 14:18 0:00 /usr/sbin/haproxy -f /var/lib/openshift/512e5bf6ef805c16c4000006//haproxy-1.4/conf/haproxy.cfg -sf 9373 501 9552 0.0 0.2 111032 22420 ? Sl 14:18 0:00 haproxy_ctld.rb root 10159 0.0 0.0 103236 876 pts/0 S+ 14:19 0:00 grep haproxy [root@ip-10-77-75-81 ~]# grep Group /proc/9205/status Groups: [root@ip-10-77-75-81 ~]# grep Group /proc/9502/status Groups: 501
Closing this bug since there's nothing for OpenShift to do but wait for upstream.