Setuid helper drops all supplementary groups
- Found in: 1.19
The setuid helper in ChrootSetuidJail (run-as-anonymous) drops all supplementary groups by doing setgroups(0, 0). However, some groups are negative rather than positive, so this might add authority to the sandboxed process. This is therefore a potential vulnerability.
Julien Tinnes reports:
- "Unfortunately on Linux, there is no way of telling if a given supplementary group is a privilege or not. On many systems, some groups are used to restrict user privileges (for instance groups such as "noexec", "nonetwork" are frequently used on grsecurity kernels. Another example is the use of groups in Netfilter rules.
Interestingly, on Windows they handle that quite well (there is a DenyOnly permission that you can associate with a supplementary group: you're only considered part of this group if this results into a denied access)."