0003330: Resin running in root (0) group although configured otherwise (WARNING: potential privilege escalation bug!)

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0003330

[Resin]

major

always

02-09-09 02:02

03-18-09 11:07

Reporter

tlandmann

View Status

public

Assigned To

ferg

Priority

normal

Resolution

fixed

Status

closed

Product Version

3.2.1

Summary

0003330: Resin running in root (0) group although configured otherwise (WARNING: potential privilege escalation bug!)

Description

I run Resin as root with the following passage in the server-default section in resin.xml:

<resin:if test="${resin.userName=='root'}">
<user-name>httpd</user-name>
<group-name>httpd</group-name>
</resin:if>

Thus resin should run as user httpd in group httpd.

Then I run the following PHP file from within Quercus:

<?php
header("Content-Type: text/plain");
echo `id`;
?>

The output is:
uid=1003(httpd) gid=1003(httpd) groups=0(root)

The expected output would be:
uid=1003(httpd) gid=1003(httpd) groups=1003(httpd)

The problem means that although Resin is running as user httpd and primary group httpd, it still belongs to group root (!). This is dangerous! (!) There may be lots of sensitive files on a server system which may be read or even modified by members of the root group.
I didn't check if this access is actually possible. However I would assume it.

Fixing this bug is STRONGLY recommended for security reasons.

Additional Information

Attached Files

Relationships

There are no notes attached to this issue.

Issue History
Date Modified	Username	Field	Change
02-09-09 02:02	tlandmann	New Issue
03-18-09 11:07	ferg	Assigned To	=> ferg
03-18-09 11:07	ferg	Status	new => closed
03-18-09 11:07	ferg	Resolution	open => fixed
03-18-09 11:07	ferg	Fixed in Version	=> 4.0.0

Mantis 1.0.0rc3[^]

27 total queries executed.
25 unique queries executed.