linux sigar_proc_port_get assumes effective UID of bound socket & process are the same #7

jgraettinger opened this Issue Apr 22, 2011 · 0 comments


None yet
1 participant

This assumption is violated if the process binds the socket as root, and later drops it's effective UID for security.

We discovered this recently with stunnel, when configured to run as non-root user 'stunnel4'.

To replicate:

  • apt-get stunnel on debian or ubuntu
  • Edit /etc/default/stunnel4, and set ENABLED=1

Play with enabling/disabling the setuid/setgid options in /etc/stunnel/stunnel.conf. Assume $port is a port bound by stunnel.

Using the ruby bindings & running irb as root,, $port) returns the stunnel PID when stunnel is also running as root. 0 is returned if stunnel drops to user 'stunnel4'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment