bitlbee running as root

  • Done
  • quality assurance status badge
Details
One participant
  • Ludovic Courtès
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
normal
L
L
Ludovic Courtès wrote on 16 May 2022 15:30
(address . bug-guix@gnu.org)
874k1pa9lh.fsf@inria.fr
Starting from commit 211fe3f66e6dfdaa64974931c458ab1d92afc182, if PID 1
is Shepherd 0.9.0, the bitlbee daemon was started on-demand as an inetd
service.

However, due to a logic bug, it was running as root (in a separate user
namespace though) instead of running as “bitlbee”. The bug is that we
were spawning “bitlbee -u bitlbee” as root; normally, bitlbee would
setuid to the “bitlbee” user early on, but since it was in a separate
namespace and with a minimal /etc/passwd, it couldn’t do anything and
kept the current UID (that UID was 1000 inside the user namespace, but 0
outside).

Fix coming soon…

Ludo’.
L
L
Ludovic Courtès wrote on 16 May 2022 15:33
control message for bug #55450
(address . control@debbugs.gnu.org)
8735h9a9fj.fsf@gnu.org
tags 55450 + security
quit
L
L
Ludovic Courtès wrote on 16 May 2022 15:53
Re: bug#55450: bitlbee running as root
(address . 55450-done@debbugs.gnu.org)
87lev18ty1.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (12 lines)
> Starting from commit 211fe3f66e6dfdaa64974931c458ab1d92afc182, if PID 1
> is Shepherd 0.9.0, the bitlbee daemon was started on-demand as an inetd
> service.
>
> However, due to a logic bug, it was running as root (in a separate user
> namespace though) instead of running as “bitlbee”. The bug is that we
> were spawning “bitlbee -u bitlbee” as root; normally, bitlbee would
> setuid to the “bitlbee” user early on, but since it was in a separate
> namespace and with a minimal /etc/passwd, it couldn’t do anything and
> kept the current UID (that UID was 1000 inside the user namespace, but 0
> outside).

Fixed by commit ecfcdff23a5ce390a7edc019c1f1216c4843dc04: the bitlbee
process is now started as “bitlbee” right from the start.

I reviewed other users of ‘least-authority-wrapper’ that were recently
introduced and didn’t see other mistakes of that kind. You’re welcome
to take another look to make sure!

Ludo’.
Closed
?