From debbugs-submit-bounces@debbugs.gnu.org Mon May 16 09:30:34 2022
Received: (at submit) by debbugs.gnu.org; 16 May 2022 13:30:34 +0000
Received: from localhost ([127.0.0.1]:52125 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nqany-0005gT-E4
	for submit@debbugs.gnu.org; Mon, 16 May 2022 09:30:34 -0400
Received: from lists.gnu.org ([209.51.188.17]:32792)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1nqanw-0005gI-3M
 for submit@debbugs.gnu.org; Mon, 16 May 2022 09:30:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58938)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1nqant-0008Ui-TX
 for bug-guix@gnu.org; Mon, 16 May 2022 09:30:30 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:41946)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1nqans-0003UF-JS
 for bug-guix@gnu.org; Mon, 16 May 2022 09:30:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to:
 references; bh=ZDTjyiOrtZ/T4dn8r+9gwlVZFCsZ3+7gbVmMPlZ9cbU=; b=caX535XQaV9Z2c
 3uKH5drhjby7WbGJYUBMBp2C5yHc/VwsWvYl/BX7Z9cU5CqMawvLO4o3HTtGPGxoxjmnVE2Njj3gE
 ACUGMTK/chx3gxJGqArLDbiHazrZeSiUkUkbFgA6vj5DjTnZMqael5pdbNQpnc5r7Po60o2jnmeRI
 rxHPOagLImYM6MDY6jEuu/POfH3bTDnYxFO5TFjJGigyJMPT8eUbuGE2yBO66Ss+A7D2EWYp5N6Y2
 y21HAIuy4/qX4nBlt+HxhQzSSSuC6Oz2QCfGTfiJXhfg7c/CdsuS5Nt3jAXGNO2DTaZiZHLjEe8nt
 XGihRQp0CnxPKdA2oBCg==;
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=49348 helo=ribbon)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>) id 1nqank-0001Lr-SX
 for bug-guix@gnu.org; Mon, 16 May 2022 09:30:26 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: bug-guix@gnu.org
Subject: bitlbee running as root
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 27 =?utf-8?Q?Flor=C3=A9al?= an 230 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 16 May 2022 15:30:18 +0200
Message-ID: <874k1pa9lh.fsf@inria.fr>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Starting from commit 211fe3f66e6dfdaa64974931c458ab1d92afc182, if PID=C2=A01
is Shepherd 0.9.0, the bitlbee daemon was started on-demand as an inetd
service.

However, due to a logic bug, it was running as root (in a separate user
namespace though) instead of running as =E2=80=9Cbitlbee=E2=80=9D.  The bug=
 is that we
were spawning =E2=80=9Cbitlbee -u bitlbee=E2=80=9D as root; normally, bitlb=
ee would
setuid to the =E2=80=9Cbitlbee=E2=80=9D user early on, but since it was in =
a separate
namespace and with a minimal /etc/passwd, it couldn=E2=80=99t do anything a=
nd
kept the current UID (that UID was 1000 inside the user namespace, but 0
outside).

Fix coming soon=E2=80=A6

Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Mon May 16 09:34:01 2022
Received: (at control) by debbugs.gnu.org; 16 May 2022 13:34:01 +0000
Received: from localhost ([127.0.0.1]:52131 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nqarI-0005m1-VR
	for submit@debbugs.gnu.org; Mon, 16 May 2022 09:34:01 -0400
Received: from eggs.gnu.org ([209.51.188.92]:38458)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1nqarH-0005lo-Qh
 for control@debbugs.gnu.org; Mon, 16 May 2022 09:34:00 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:42016)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1nqarC-0003yh-I2
 for control@debbugs.gnu.org; Mon, 16 May 2022 09:33:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to:
 references; bh=4i3thVYxxMWWV+tWJa+F6Wj3w/wmFKgMuOE8a19bwCM=; b=MkuxdcMuvwRUNW
 17WFgqcDqaHqUAPHJTUhCDipQZ7YMcdU46qnr3zkN6Y5dBxfJgB2rG8kczfWSK3Hmc27UsuDErE5T
 eFXLI6VC6uMsNIV1fYaMqfYWFl8O9nbrWRpc/U08LwM28rVuv0mk8mf0/J1+YmW2RtRGZqJcaA6G8
 MUix0Swr7L55g8ZwaJjPwD60Q0JPdln4a3BZXkunw3x9tDeWK8eUIywkdMFCE9rbWFIvPjNOkU/1L
 AlB5jAYVgV3tQI6ye/SNgVY5AIkhnGnf21ucC6nvhmiG8k4J+EWNULjKJHAtrYlEjx7W1tAYfmQfa
 Yi+E561MU5POXzX3FXqA==;
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=49350 helo=ribbon)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>) id 1nqarC-0001YQ-3t
 for control@debbugs.gnu.org; Mon, 16 May 2022 09:33:54 -0400
Date: Mon, 16 May 2022 15:33:52 +0200
Message-Id: <8735h9a9fj.fsf@gnu.org>
To: control@debbugs.gnu.org
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
Subject: control message for bug #55450
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

tags 55450 + security
quit





From debbugs-submit-bounces@debbugs.gnu.org Mon May 16 09:53:59 2022
Received: (at 55450-done) by debbugs.gnu.org; 16 May 2022 13:53:59 +0000
Received: from localhost ([127.0.0.1]:52204 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nqbAc-00007E-RF
	for submit@debbugs.gnu.org; Mon, 16 May 2022 09:53:59 -0400
Received: from eggs.gnu.org ([209.51.188.92]:44120)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1nqbAV-00006p-7Z
 for 55450-done@debbugs.gnu.org; Mon, 16 May 2022 09:53:57 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:42210)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1nqbAP-0007jl-9q
 for 55450-done@debbugs.gnu.org; Mon, 16 May 2022 09:53:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=HAyN6xf63uHk8gOYELm9Err38uw0F266FhUnLXRqPYM=; b=qAdeSCgNQkDk+gFYnq8J
 i/NNHcRryQGL25rkL0KZo3AI9u1vozZPMmevPuf5vpEh0HzzhlQe76Hv8iJhlAI9x6KiJD2Woae+G
 enjB+SALtChoPKuHkkh7MfvFsv9QzQWGosjHi08M5C6pAEJr0epoCiDxG8+GtqN3icKOMUfzZAy1G
 i8Ntcn/ocya5LX3UHqiU0hKaD2ufrtddLt2QwDb74ZscnU8fPs1xzaOaG0BvDXdTlx8jcIYkLaGW8
 4s+dOYYq6YE56XrHsr9mjYz2nD3pnxPbAph+t05nyZXMkK4Ilv/PwgiXL/9yeBUqdRI5vqeKwvWWV
 y9nDTN1si4aSTA==;
Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:62539
 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1nqbAN-00027C-GY
 for 55450-done@debbugs.gnu.org; Mon, 16 May 2022 09:53:44 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: 55450-done@debbugs.gnu.org
Subject: Re: bug#55450: bitlbee running as root
References: <874k1pa9lh.fsf@inria.fr>
Date: Mon, 16 May 2022 15:53:42 +0200
In-Reply-To: <874k1pa9lh.fsf@inria.fr> ("Ludovic =?utf-8?Q?Court=C3=A8s=22?=
 =?utf-8?Q?'s?= message of "Mon, 16 May 2022 15:30:18 +0200")
Message-ID: <87lev18ty1.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 55450-done
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Ludovic Court=C3=A8s <ludo@gnu.org> skribis:

> Starting from commit 211fe3f66e6dfdaa64974931c458ab1d92afc182, if PID=C2=
=A01
> is Shepherd 0.9.0, the bitlbee daemon was started on-demand as an inetd
> service.
>
> However, due to a logic bug, it was running as root (in a separate user
> namespace though) instead of running as =E2=80=9Cbitlbee=E2=80=9D.  The b=
ug is that we
> were spawning =E2=80=9Cbitlbee -u bitlbee=E2=80=9D as root; normally, bit=
lbee would
> setuid to the =E2=80=9Cbitlbee=E2=80=9D user early on, but since it was i=
n a separate
> namespace and with a minimal /etc/passwd, it couldn=E2=80=99t do anything=
 and
> kept the current UID (that UID was 1000 inside the user namespace, but 0
> outside).

Fixed by commit ecfcdff23a5ce390a7edc019c1f1216c4843dc04: the bitlbee
process is now started as =E2=80=9Cbitlbee=E2=80=9D right from the start.

I reviewed other users of =E2=80=98least-authority-wrapper=E2=80=99 that we=
re recently
introduced and didn=E2=80=99t see other mistakes of that kind.  You=E2=80=
=99re welcome
to take another look to make sure!

Ludo=E2=80=99.




From unknown Sun Jun 22 11:39:35 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Tue, 14 Jun 2022 11:24:06 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator