GNU bug report logs - #55450
bitlbee running as root

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 16 May 2022 13:31:01 UTC

Severity: normal

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55450 in the body.
You can then email your comments to 55450 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#55450; Package guix. (Mon, 16 May 2022 13:31:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 16 May 2022 13:31:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: bitlbee running as root
Date: Mon, 16 May 2022 15:30:18 +0200
Starting from commit 211fe3f66e6dfdaa64974931c458ab1d92afc182, if PID 1
is Shepherd 0.9.0, the bitlbee daemon was started on-demand as an inetd
service.

However, due to a logic bug, it was running as root (in a separate user
namespace though) instead of running as “bitlbee”.  The bug is that we
were spawning “bitlbee -u bitlbee” as root; normally, bitlbee would
setuid to the “bitlbee” user early on, but since it was in a separate
namespace and with a minimal /etc/passwd, it couldn’t do anything and
kept the current UID (that UID was 1000 inside the user namespace, but 0
outside).

Fix coming soon…

Ludo’.




Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Mon, 16 May 2022 13:34:01 GMT) Full text and rfc822 format available.

Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Mon, 16 May 2022 13:54:02 GMT) Full text and rfc822 format available.

Notification sent to Ludovic Courtès <ludo <at> gnu.org>:
bug acknowledged by developer. (Mon, 16 May 2022 13:54:02 GMT) Full text and rfc822 format available.

Message #12 received at 55450-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 55450-done <at> debbugs.gnu.org
Subject: Re: bug#55450: bitlbee running as root
Date: Mon, 16 May 2022 15:53:42 +0200
Ludovic Courtès <ludo <at> gnu.org> skribis:

> Starting from commit 211fe3f66e6dfdaa64974931c458ab1d92afc182, if PID 1
> is Shepherd 0.9.0, the bitlbee daemon was started on-demand as an inetd
> service.
>
> However, due to a logic bug, it was running as root (in a separate user
> namespace though) instead of running as “bitlbee”.  The bug is that we
> were spawning “bitlbee -u bitlbee” as root; normally, bitlbee would
> setuid to the “bitlbee” user early on, but since it was in a separate
> namespace and with a minimal /etc/passwd, it couldn’t do anything and
> kept the current UID (that UID was 1000 inside the user namespace, but 0
> outside).

Fixed by commit ecfcdff23a5ce390a7edc019c1f1216c4843dc04: the bitlbee
process is now started as “bitlbee” right from the start.

I reviewed other users of ‘least-authority-wrapper’ that were recently
introduced and didn’t see other mistakes of that kind.  You’re welcome
to take another look to make sure!

Ludo’.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 14 Jun 2022 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 1 year and 287 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.