From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 18155 invoked by alias); 22 Jul 2014 12:35:05 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 18093 invoked by uid 48); 22 Jul 2014 12:35:01 -0000 From: "fweimer at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug nptl/13347] Threaded setuid() can wrongly report success when failing to drop privileges Date: Tue, 22 Jul 2014 12:35:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: nptl X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: fweimer at redhat dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2014-07/txt/msg00663.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=13347 --- Comment #15 from Florian Weimer --- (In reply to Rich Felker from comment #14) > I've seen real-world applications that were _potentially_ affected. In > particular, Java applications which call setuid at startup (e.g. after > binding to a port) have often (possibly inadvertently) created threads > before doing so. It may be very unlikely for setuid to fail in some of the > threads at system startup, but if restarting a server that aborted due to > some sort of resource exhaustion, it might be a lot more likely. I never > attempted to observe the issue actually happening in such apps, however; I > just noted that it could. I looked at the Apache jsvc tool, and it changes credentials before initializing the JVM. There's a comment suggesting that this dates back to the LinuxThreads days. Considering that they also change capabilities (which are still per-thread and not process-global), there isn't really a way around that. The jetty-setuid mechanism doesn't check the result of the setuid call, so it's not vulnerable to this glibc bug, either (because consistent setuid failure will not result in an abort and leave the service running with elevated privileges). Are there any other Java service loaders that could be affected this way, and for which source code is generally available? -- You are receiving this mail because: You are on the CC list for the bug.