newgrp: fix potential string injection #758

vegard · 2023-07-21T13:31:12Z

Since newgrp is setuid-root, any write() system calls it does in order to print error messages will be done as the root user.

Unprivileged users can get newgrp to print essentially arbitrary strings to any open file in this way by passing those strings as argv[0] when calling execve(). For example:

$ setpid() { (exec -a $1$'\n:' newgrp '' 2>/proc/sys/kernel/ns_last_pid & wait) >/dev/null; }
$ setpid 31000
$ readlink /proc/self
31001

This is not a vulnerability in newgrp; it is a bug in the Linux kernel.

However, this type of bug is not new 1 and it makes sense to try to mitigate these types of bugs in userspace where possible.

Since newgrp is setuid-root, any write() system calls it does in order to print error messages will be done as the root user. Unprivileged users can get newgrp to print essentially arbitrary strings to any open file in this way by passing those strings as argv[0] when calling execve(). For example: $ setpid() { (exec -a $1$'\n:' newgrp '' 2>/proc/sys/kernel/ns_last_pid & wait) >/dev/null; } $ setpid 31000 $ readlink /proc/self 31001 This is not a vulnerability in newgrp; it is a bug in the Linux kernel. However, this type of bug is not new [1] and it makes sense to try to mitigate these types of bugs in userspace where possible. [1]: https://lwn.net/Articles/476947/ Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>

hallyn approved these changes Jul 22, 2023

View reviewed changes

hallyn merged commit 9df4801 into shadow-maint:master Jul 22, 2023
8 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

newgrp: fix potential string injection #758

newgrp: fix potential string injection #758

vegard commented Jul 21, 2023

newgrp: fix potential string injection #758

newgrp: fix potential string injection #758

Conversation

vegard commented Jul 21, 2023