Bug#299191: marked as done (apache2-common: suexec sets incorrect gid and groups)

To: Steve Langasek <vorlon@debian.org>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#299191: marked as done (apache2-common: suexec sets incorrect gid and groups)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 12 Mar 2005 13:33:52 -0800
Message-id: <[🔎] handler.299191.D299191.111066280531898.ackdone@bugs.debian.org>
In-reply-to: <20050312212635.GC6020@mauritius.dodds.net>
References: <20050312212635.GC6020@mauritius.dodds.net> <[🔎] 20050312131753.5A743116FA@iceqube>

Your message dated Sat, 12 Mar 2005 13:26:42 -0800
with message-id <20050312212635.GC6020@mauritius.dodds.net>
and subject line Bug#299191: Not suexec
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Mar 2005 13:18:26 +0000
>From core@bokeoa.com Sat Mar 12 05:18:26 2005
Return-path: <core@bokeoa.com>
Received: from 24-180-36-132.cs-cres.charterpipeline.net (iceqube) [24.180.36.132] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DA6Vd-0004Xv-00; Sat, 12 Mar 2005 05:18:25 -0800
Received: by iceqube (Postfix, from userid 1000)
	id 5A743116FA; Sat, 12 Mar 2005 05:17:53 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Charles Stevenson <core@bokeoa.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2-common: suexec sets incorrect gid and groups
X-Mailer: reportbug 3.8
Date: Sat, 12 Mar 2005 05:17:52 -0800
Message-Id: <[🔎] 20050312131753.5A743116FA@iceqube>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: apache2-common
Version: 2.0.53-5
Severity: grave
Justification: user security hole


I'm fairly certain this is specific to the MIPS port.  I looked at the
source and did some tests and am a bit perplexed.  I thought it was a
signedness issue, integer overflow I think they call it.  In any case
here's the rundown.  Apache is running as nobody/nogroup (65534/65534).
I was having some luser errors with a CGI script so I dropped a simple
command execution script in /usr/lib/cgi-bin/ to see if CGI worked in
general which it does. In any case I ran /usr/bin/id and noticed my gid
was wrong as well as my groups. I created a file just to ensure the
problem wasn't within id and did an ls on the file. It seems that it's a
problem with suexec itself. My box is slow as can be and I've just about
given up trying to build it from source and see for myself but I imagine
that perhaps this is built with a cross-compiler.  And that somehow the
signedness is incured in this fashion.  I did test getgrnam and it
returns correct information. Here's some output from my lil' script:

$ id
uid=65534(nobody) gid=1(daemon) groups=4294967295
$ touch /tmp/nobody_was_here
$ ls -l /tmp/nobody_was_here
-rw-r--r--  1 nobody 4294967295 0 Mar 12 05:11 /tmp/nobody_was_here

Anyways this can in theory lead to some strange privelege elevation
given the gid of daemon. I chose grave since it seemed fitting although
in truth it's probably not a huge issue? There were no error logged.
Anyways if I can fix strace to work or get this to compile I might be
able to send a patch or more useful info. For now it's still running
configure... ;)

peace,
core

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: mipsel (mips)
Kernel: Linux 2.4.27-r5k-cobalt
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages apache2-common depends on:
ii  apache2-utils               2.0.53-5     utility programs for webservers
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libdb4.2                    4.2.52-18    Berkeley v4.2 Database Libraries [
ii  libexpat1                   1.95.8-1     XML parsing C library - runtime li
ii  libgcc1                     1:3.4.3-6    GCC support library
ii  libmagic1                   4.12-1       File type determination library us
ii  mime-support                3.28-1       MIME files 'mime.types' & 'mailcap
ii  net-tools                   1.60-10      The NET-3 networking toolkit
ii  openssl                     0.9.7e-2     Secure Socket Layer (SSL) binary a
ii  ssl-cert                    1.0-11       Simple debconf wrapper for openssl

-- no debconf information

---------------------------------------
Received: (at 299191-done) by bugs.debian.org; 12 Mar 2005 21:26:45 +0000
>From vorlon@debian.org Sat Mar 12 13:26:45 2005
Return-path: <vorlon@debian.org>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (localhost.localdomain) [66.93.39.86] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DAE8C-0008IH-00; Sat, 12 Mar 2005 13:26:44 -0800
Received: by localhost.localdomain (Postfix, from userid 1000)
	id 536E5171D21; Sat, 12 Mar 2005 13:26:42 -0800 (PST)
Date: Sat, 12 Mar 2005 13:26:42 -0800
From: Steve Langasek <vorlon@debian.org>
To: Charles Stevenson <core@bokeoa.com>, 299191-done@bugs.debian.org
Subject: Re: Bug#299191: Not suexec
Message-ID: <20050312212635.GC6020@mauritius.dodds.net>
References: <[🔎] 20050312140737.GA3522@debian>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="s9fJI615cBHmzTOP"
Content-Disposition: inline
In-Reply-To: <[🔎] 20050312140737.GA3522@debian>
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 299191-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--s9fJI615cBHmzTOP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Mar 12, 2005 at 06:07:37AM -0800, Charles Stevenson wrote:
> Apparently I'm too tired to be sending bug reports ;-) It appears that
> suexec is not involved. My Qube2 finally finished running configure. I
> think the solution is in apache2.conf to use www-data for User and
> Group. Fixed the problems here :) Sorry for the bother. I think it has
> to do with "don't use Group #-1 on these systems!"

Group #-1 doesn't map to nogroup (65534); uids and gids on modern GNU/Linux
systems are 32-bit values, not 16-bit values.  Since there is indeed no
privilege escalation here, I don't believe this is a bug at all.

Thanks,
--=20
Steve Langasek
postmodern programmer

--s9fJI615cBHmzTOP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCM16LKN6ufymYLloRAqMJAKDEWI3M0nuLrvTTNW+1Bik9O3wL3wCfYYw0
OD+Iaxd6SMnSdq6dzuJUTbw=
=jopp
-----END PGP SIGNATURE-----

--s9fJI615cBHmzTOP--

Reply to:

References:
- Bug#299191: apache2-common: suexec sets incorrect gid and groups
  - From: Charles Stevenson <core@bokeoa.com>

Prev by Date: Bug#299191: Not suexec
Next by Date: Precautions? On Installing apache2 with source.
Previous by thread: Bug#299191: apache2-common: suexec sets incorrect gid and groups
Next by thread: Bug#299191: Not suexec
Index(es):
- Date
- Thread