https://bz.apache.org/bugzilla/show_bug.cgi?id=69356
Bug ID: 69356
Summary: incorrect revocation order when relinquishing
privileges
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_privileges
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 39884
--> https://bz.apache.org/bugzilla/attachment.cgi?id=39884&action=edit
Patch reordering set*id() calls
I believe there are particular cases in which relinquishing of privileges in
function privileges_end_req() of file /modules/arch/unix/mod_privileges.c is
incorrect.
In particular, the setuid() (line 156) function is called before the setgid()
(line 160) one:
131 static apr_status_t privileges_end_req(void *data)
132 {
133 request_rec *r = data;
134 priv_cfg *cfg = ap_get_module_config(r->server->module_config,
135 &privileges_module);
136 priv_dir_cfg *dcfg = ap_get_module_config(r->per_dir_config,
137 &privileges_module);
138
139 /* ugly hack: grab default uid and gid from unixd */
140 extern unixd_config_rec ap_unixd_config;
141
142 /* If we forked a child, we dropped privilege to revert, so
143 * all we can do now is exit
144 */
145 if ((cfg->mode == PRIV_SECURE) ||
146 ((cfg->mode == PRIV_SELECTIVE) && (dcfg->mode == PRIV_SECURE)))
{
147 exit(0);
148 }
149
150 /* if either user or group are not the default, restore them */
151 if (cfg->uid || cfg->gid) {
152 if (setppriv(PRIV_ON, PRIV_EFFECTIVE, priv_setid) == -1) {
153 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02136)
154 "PRIV_ON failed restoring default
user/group");
155 }
156 if (cfg->uid && (setuid(ap_unixd_config.user_id) == -1)) {
157 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02137)
158 "Error restoring default userid");
159 }
160 if (cfg->gid && (setgid(ap_unixd_config.group_id) == -1)) {
161 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02138)
162 "Error restoring default group");
163 }
164 }
This results in setgid() call only changing the effective group ID to the
wanted one; the real group ID and saved set-group-ID remain unchanged.
That allow code executed afterwards to regain privileges with subsequents
setgid() calls.
This is explained in details in POSIX rules:
https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
I doubt this is the intended behaviour for that function. I am attaching a
patch inverting the setuid() and setgid() calls to conform to the POSIX
privilege relinquishing order.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
