Discussion:
libcapng considered hostile
(too old to reply)
Rainer Weikusat
2020-05-15 21:57:50 UTC
Permalink
The library provides a

capng_change_id

function which can be used to the uid and/ or gid of a process while
retaining a capability set. "Unfortunately" (IOW, because some RedHat
guy is suffering from a particularly bad case of BTNHIWHDI[*]) it
can only clear an existing set of supplementary groups and not
initialize it to something like, say, the list of supplementary groups
associated with the user account whose uid is being used (at least
version 0.7.3).

[*] But That's Not How I Would Have Done It! -- also appears in the
wild as BTNHMDI, "But That's Not How Microsoft Did It!" :->
Scott Lurndal
2020-05-17 21:04:09 UTC
Permalink
Post by Rainer Weikusat
The library provides a
capng_change_id
function which can be used to the uid and/ or gid of a process while
retaining a capability set. "Unfortunately" (IOW, because some RedHat
guy is suffering from a particularly bad case of BTNHIWHDI[*]) it
can only clear an existing set of supplementary groups and not
initialize it to something like, say, the list of supplementary groups
associated with the user account whose uid is being used (at least
version 0.7.3).
Perhaps you need CAP_SETGID to use the underlying setgroups(2) system call.
Rainer Weikusat
2020-05-17 21:32:59 UTC
Permalink
Post by Scott Lurndal
Post by Rainer Weikusat
The library provides a
capng_change_id
function which can be used to the uid and/ or gid of a process while
retaining a capability set. "Unfortunately" (IOW, because some RedHat
guy is suffering from a particularly bad case of BTNHIWHDI[*]) it
can only clear an existing set of supplementary groups and not
initialize it to something like, say, the list of supplementary groups
associated with the user account whose uid is being used (at least
version 0.7.3).
Perhaps you need CAP_SETGID to use the underlying setgroups(2) system call.
Yes. But I checked this in the code: The library version I'm using
(because it came with Ubuntu 14) has support for using setgroups(0,
NULL) to clear a set of supplementary groups but no support to populate
it with anything.
Scott Lurndal
2020-05-18 20:14:02 UTC
Permalink
Post by Rainer Weikusat
Post by Scott Lurndal
Post by Rainer Weikusat
The library provides a
capng_change_id
function which can be used to the uid and/ or gid of a process while
retaining a capability set. "Unfortunately" (IOW, because some RedHat
guy is suffering from a particularly bad case of BTNHIWHDI[*]) it
can only clear an existing set of supplementary groups and not
initialize it to something like, say, the list of supplementary groups
associated with the user account whose uid is being used (at least
version 0.7.3).
Perhaps you need CAP_SETGID to use the underlying setgroups(2) system call.
Yes. But I checked this in the code: The library version I'm using
(because it came with Ubuntu 14) has support for using setgroups(0,
NULL) to clear a set of supplementary groups but no support to populate
it with anything.
I would have used initgroups(3) to do that, rather than all the coding
necessary to read the groups file and build the argument list for setgroups(2).

(although I generally use libpcap, so I've not used libcapng).
Rainer Weikusat
2020-05-18 21:49:43 UTC
Permalink
Post by Scott Lurndal
Post by Rainer Weikusat
Post by Rainer Weikusat
The library provides a
capng_change_id
[...]
Post by Scott Lurndal
Post by Rainer Weikusat
Yes. But I checked this in the code: The library version I'm using
(because it came with Ubuntu 14) has support for using setgroups(0,
NULL) to clear a set of supplementary groups but no support to populate
it with anything.
I would have used initgroups(3) to do that, rather than all the coding
necessary to read the groups file and build the argument list for setgroups(2).
(although I generally use libpcap, so I've not used libcapng).
Well, yes, that's what I did in the workaround. But the noteworthy thing
here is that a RedHat Linux Process[tm] has a user id and a group id
(possibly entirely unconnected to the user id) and may have inherited a
set of supplementary group IDs. These are considered "fishy", hence,
they can be dropped.

The idea that they could be useful for something in general and
specifically, that a process changing it's user ID to something should
use the supplementary groups associated with this user doesn't exist in
the RedHat universe.

Loading...