GNU bug report logs

#55450 bitlbee running as root

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#55450; Package guix. (Mon, 16 May 2022 13:31:01 GMT) (full text, mbox, link).

Acknowledgement sent to Ludovic Courtès <ludo@gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Mon, 16 May 2022 13:31:01 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>
To: bug-guix@gnu.org
Subject: bitlbee running as root
Date: Mon, 16 May 2022 15:30:18 +0200
Starting from commit 211fe3f66e6dfdaa64974931c458ab1d92afc182, if PID 1
is Shepherd 0.9.0, the bitlbee daemon was started on-demand as an inetd
service.

However, due to a logic bug, it was running as root (in a separate user
namespace though) instead of running as “bitlbee”.  The bug is that we
were spawning “bitlbee -u bitlbee” as root; normally, bitlbee would
setuid to the “bitlbee” user early on, but since it was in a separate
namespace and with a minimal /etc/passwd, it couldn’t do anything and
kept the current UID (that UID was 1000 inside the user namespace, but 0
outside).

Fix coming soon…

Ludo’.

Added tag(s) security. Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Mon, 16 May 2022 13:34:01 GMT) (full text, mbox, link).

Reply sent to Ludovic Courtès <ludo@gnu.org>:
You have taken responsibility. (Mon, 16 May 2022 13:54:02 GMT) (full text, mbox, link).

Notification sent to Ludovic Courtès <ludo@gnu.org>:
bug acknowledged by developer. (Mon, 16 May 2022 13:54:02 GMT) (full text, mbox, link).

Message #12 received at 55450-done@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>
To: 55450-done@debbugs.gnu.org
Subject: Re: bug#55450: bitlbee running as root
Date: Mon, 16 May 2022 15:53:42 +0200
Ludovic Courtès <ludo@gnu.org> skribis:

> Starting from commit 211fe3f66e6dfdaa64974931c458ab1d92afc182, if PID 1
> is Shepherd 0.9.0, the bitlbee daemon was started on-demand as an inetd
> service.
>
> However, due to a logic bug, it was running as root (in a separate user
> namespace though) instead of running as “bitlbee”.  The bug is that we
> were spawning “bitlbee -u bitlbee” as root; normally, bitlbee would
> setuid to the “bitlbee” user early on, but since it was in a separate
> namespace and with a minimal /etc/passwd, it couldn’t do anything and
> kept the current UID (that UID was 1000 inside the user namespace, but 0
> outside).

Fixed by commit ecfcdff23a5ce390a7edc019c1f1216c4843dc04: the bitlbee
process is now started as “bitlbee” right from the start.

I reviewed other users of ‘least-authority-wrapper’ that were recently
introduced and didn’t see other mistakes of that kind.  You’re welcome
to take another look to make sure!

Ludo’.

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Tue, 14 Jun 2022 11:24:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 14:01:39 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.