luv
luv copied to clipboard
Library calls setuid and/or setgid without setgroups or initgroups
When building package for openSUSE, rpmlint warns me:
This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this means it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem.
Some more info:
setuid
/setgid
are called from luv_setuid
/luv_setgid
here:
https://github.com/luvit/luv/blob/a0a98ec424e368cc2481faa03b99a25f403a5832/src/misc.c#L337-L353
The only usage I can find of uv.setuid
/uv.setgid
on Github is here: https://github.com/creationix/gardener/blob/b9e2d590cb48a01f5310f35516e68eb52bfc6f02/bridge/server.lua#L56-L58
Here's how Libuv handles this when spawning a new process: https://github.com/libuv/libuv/blob/abe4f3d58d1f89f7b9c3092a917486832ceff7a2/src/unix/process.c#L354-L373
(it calls setgroups(0, NULL)
and then setgid
and then setuid
).
I don't know enough about this stuff to know what should be done here, but hopefully that can provide a starting point.
Some more reference links:
- https://security.stackexchange.com/questions/122141/always-setgroups-before-setuid
- https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch01s03.html
- https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges