I was looking at a review request for a quickjs-ng package in Fedora, and I noticed the following message from rpmlint:
quickjs-ng.x86_64: E: missing-call-to-setgroups-before-setuid /usr/bin/qjs
This executable is calling setuid and setgid without setgroups or initgroups.
This means it didn't relinquish all groups, and this would be a potential
security issue.
The code in question is in js_os_exec
|
/* exec(args[, options]) -> exitcode */ |
|
static JSValue js_os_exec(JSContext *ctx, JSValueConst this_val, |
|
int argc, JSValueConst *argv) |
and the call to setuid is at
|
if (uid != -1) { |
|
if (setuid(uid) < 0) |
|
_exit(127); |
|
} |
Now, it’s certainly true in general that failing to relinquish supplementary groups can entirely subvert an attempt to drop privileges. Imagine, for example, the case where a wheel or admin group is among the supplementary groups.
However, I don’t have the time or interest to fully audit the privilege-dropping code here – particularly, to read enough code to understand the surrounding context and security model – so I’m just reporting this as a possible issue that I think merits investigation and consideration.
I was looking at a review request for a
quickjs-ngpackage in Fedora, and I noticed the following message from rpmlint:The code in question is in
js_os_execquickjs/quickjs-libc.c
Lines 3225 to 3227 in 3c9afc9
and the call to
setuidis atquickjs/quickjs-libc.c
Lines 3377 to 3380 in 3c9afc9
Now, it’s certainly true in general that failing to relinquish supplementary groups can entirely subvert an attempt to drop privileges. Imagine, for example, the case where a
wheeloradmingroup is among the supplementary groups.However, I don’t have the time or interest to fully audit the privilege-dropping code here – particularly, to read enough code to understand the surrounding context and security model – so I’m just reporting this as a possible issue that I think merits investigation and consideration.