You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We need to squash the group ID and supplementary group list when changing user. Right now, we're running the command with root's groups, unchanged. This is a security bug.
Example:
$ sudo ./nonet -u nobody -- id
uid=65534(nobody) gid=0(root) groups=0(root)
$ ls -l /tmp/secret
-rw-r----- 1 root root 12 Abr 28 23:29 /tmp/secret
$ sudo ./nonet -u nobody -- cat /tmp/secret
SECRET DATA
Solution
The logical behavior would be to change the group ID to the the group ID from the user's passwd entry. As for the supplementary group IDs, these could either be blanked, or set to the list of groups that the user belongs to (which is more expectable and user friendly).
The getgrouplist() function can be used for this, but it's not POSIX standard. An alternative would be to use getgrent() to crawl the list of group entries, looking for groups with the desired member.
The text was updated successfully, but these errors were encountered:
Problem
We need to squash the group ID and supplementary group list when changing user. Right now, we're running the command with root's groups, unchanged. This is a security bug.
Example:
Solution
The logical behavior would be to change the group ID to the the group ID from the user's passwd entry. As for the supplementary group IDs, these could either be blanked, or set to the list of groups that the user belongs to (which is more expectable and user friendly).
The
getgrouplist()
function can be used for this, but it's not POSIX standard. An alternative would be to usegetgrent()
to crawl the list of group entries, looking for groups with the desired member.The text was updated successfully, but these errors were encountered: