gtlsshd is calling setuid and setgid without setgroups or initgroups

[kaechele]

As I'm packaging gensio for Fedora and preparing it for review I've stumbled across this error from rpmlint:
gensio.x86_64: E: missing-call-to-setgroups-before-setuid /usr/sbin/gtlsshd

If we have rpmlint explain this error to us we learn

$ rpmlint -e missing-call-to-setgroups-before-setuid
missing-call-to-setgroups-before-setuid:
This executable is calling setuid and setgid without setgroups or initgroups.
This means it didn't relinquish all groups, and this would be a potential
security issue.

I think it is a little sad about what is happening here: https://github.com/cminyard/gensio/blob/master/tools/gtlsshd.c#L1045

In looking into it more I've found this discussion on StackOverflow: https://security.stackexchange.com/questions/122141/always-setgroups-before-setuid

To be honest, I don't have enough experience to determine whether this an actual problem or not. I'd at least want to try to understand it better because it for sure will come up in the packaging review.

[cminyard]

Thank you for reporting this.

That is actually handled elsewhere. If you look in lib/gensio_osops.c, the gensio_unix_os_setupnewprog() function does the group handling. The library does most of the work for you, in gtlsshd it simply sets the real userid and groupid for you and create the new pty/stdio. The library handles setting up the group list for you.

This is documented in gensio.5 under the stdio and pty gensios.

However, I spotted a bug in this while looking. If there are no supplementary groups for the new user, the library code won't clear the group list. Oops. Anyway, I've fixed that and pushed up the fix. I'll get a new release out with the fix.

Note that this is not a huge security issue. In the real world, root never has any supplemental groups. (Why would it?) So there's nothing to drop. It would only be an issue if switching from one non-root user to another, and gtlsshd has to run as root to be able to do all the setreuid() and such.

Your packaging review may get some push back for having another program to do what ssh does. The gtlssh and gtlsshd programs are proof-of-concepts to show what the gensio library can do, even though they are fully functional programs. And gtlssh is required for making secure connections to ser2net. I believe that I have done everything correctly, but there has been no formal security review of the code. (I have fuzzed it and have a fairly brutal test suite, but there's nothing like a formal review.) Hopefully that helps in your work.

Thanks again,

-corey

[kaechele]

Thanks for the quick response and fix! This is very helpful.