129914 – sys-cluster/util-vserver: [<=0.30.209] SUEXEC Privilege Escalation Weakness

Bug 129914 - sys-cluster/util-vserver: [<=0.30.209] SUEXEC Privilege Escalation Weakness

Summary: sys-cluster/util-vserver: [<=0.30.209] SUEXEC Privilege Escalation Weakness

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	https://savannah.nongnu.org/bugs/?fun...
Whiteboard:	B4 [noglsa] ed
Keywords:

Depends on:
Blocks:

Reported:	2006-04-14 01:56 UTC by Eduardo Tongson
Modified:	2006-04-14 13:28 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eduardo Tongson 2006-04-14 01:56:16 UTC

Fixed in 0.30.210

"""snip"""
I tried to use "vserver [servername] suexec [username] [command]" in my startup scripts, but instead of running as the user I expected, the process ran as root within the vserver.

I learned that suexec takes a userid Number, instead of a username String. Since the usual result of pushing alphabetical characters through a convert-to-number function is 0, which is the userid of root...

Invalid parameters should al least return an error, not run with extra priviledges. =)
"""snip"""

Comment 1 Benedikt Böhm (RETIRED) gentoo-dev

2006-04-14 04:18:07 UTC

thi has not been fixed in 0.30.210, the patch has been added to 0.30.210-r12 and hopefully it will get in 0.30.211 upstream... although r12 is in for a few days, i made it stable, previous revisions got massive testing anyway..

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-04-14 04:24:25 UTC

This is ready for GLSA decision. I vote a full NO.

Not even sure it's a security issue.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2006-04-14 13:28:24 UTC

Full NO and closing.