Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 903307

Summary: haproxy: Fails to properly drop supplementary groups after setuid / setgid calls
Product: OpenShift Container Platform Reporter: Jan Lieskovsky <jlieskov>
Component: ContainersAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED EOL QA Contact: libra bugs <libra-bugs>
Severity: unspecified Docs Contact:
Priority: low    
Version: 2.2.0CC: bperkins, libra-onpremise-devel, robinlee.sysu, rthrashe
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.openwall.com/lists/oss-security/2013/01/23/7
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 903293 Environment:
Last Closed: 2017-01-13 22:34:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 903293    
Bug Blocks: 903295, 903301, 903303, 903306    

Description Jan Lieskovsky 2013-01-23 17:02:59 UTC 
+++ This bug was initially created as a clone of Bug #903293 +++

Description of problem:
As noted in bug #894626 and in:
  [1] http://www.openwall.com/lists/oss-security/2013/01/23/7

haproxy previously failed to drop supplementary groups properly when trying to drop root privileges.

By itself this problem is not a security flaw, but still serious enough the upstream fix:
  [2] git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3

to be backported into all of the affected versions.

Version-Release number of selected component (if applicable):
haproxy-1.4.22-4.el6op

How reproducible:
Always

Steps to Reproduce:
1. See https://bugzilla.redhat.com/show_bug.cgi?id=894626#c0 for further reproducer details
  
Actual results:
Supplementary groups are not dropped properly after setuid / setgid calls.

Expected results:
(All) Supplementary groups should be dropped when dropping root privileges.
Comment 5 Rory Thrasher 2017-01-13 22:34:30 UTC 
OpenShift Enterprise v2 has officially reached EoL.  This product is no longer supported and bugs will be closed.

Please look into the replacement enterprise-grade container option, OpenShift Container Platform v3.  https://www.openshift.com/container-platform/

More information can be found here: https://access.redhat.com/support/policy/updates/openshift/