GNU bug report logs -
#55450
bitlbee running as root
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Mon, 16 May 2022 13:31:01 UTC
Severity: normal
Tags: security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
Message #12 received at 55450-done <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> skribis:
> Starting from commit 211fe3f66e6dfdaa64974931c458ab1d92afc182, if PID 1
> is Shepherd 0.9.0, the bitlbee daemon was started on-demand as an inetd
> service.
>
> However, due to a logic bug, it was running as root (in a separate user
> namespace though) instead of running as “bitlbee”. The bug is that we
> were spawning “bitlbee -u bitlbee” as root; normally, bitlbee would
> setuid to the “bitlbee” user early on, but since it was in a separate
> namespace and with a minimal /etc/passwd, it couldn’t do anything and
> kept the current UID (that UID was 1000 inside the user namespace, but 0
> outside).
Fixed by commit ecfcdff23a5ce390a7edc019c1f1216c4843dc04: the bitlbee
process is now started as “bitlbee” right from the start.
I reviewed other users of ‘least-authority-wrapper’ that were recently
introduced and didn’t see other mistakes of that kind. You’re welcome
to take another look to make sure!
Ludo’.
This bug report was last modified 3 years and 63 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.