Bug #2725
server.groupname not required with server.username
100%
Description
If lighttpd is started as root, it is a security exposure to leave the server running with root groups if server.groupname is not specified. The security exposure includes all groups the root user has active, including supplemental groups; the exposure is in addition to the exposure of gid 0.
diff --git a/src/server.c b/src/server.c
index 61d850c..8a2ad12 100644
--- a/src/server.c
+++ b/src/server.c
@@ -859,6 +859,14 @@ int main (int argc, char **argv) {
#ifdef HAVE_PWD_H
/* set user and group */
+ if (!buffer_string_is_empty(srv->srvconf.groupname)) {
+ if (NULL == (grp = getgrnam(srv->srvconf.groupname->ptr))) {
+ log_error_write(srv, __FILE__, __LINE__, "sb",
+ "can't find groupname", srv->srvconf.groupname);
+ return -1;
+ }
+ }
+
if (!buffer_string_is_empty(srv->srvconf.username)) {
if (NULL == (pwd = getpwnam(srv->srvconf.username->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "sb",
@@ -871,14 +879,15 @@ int main (int argc, char **argv) {
"I will not set uid to 0\n");
return -1;
}
- }
- if (!buffer_string_is_empty(srv->srvconf.groupname)) {
- if (NULL == (grp = getgrnam(srv->srvconf.groupname->ptr))) {
- log_error_write(srv, __FILE__, __LINE__, "sb",
- "can't find groupname", srv->srvconf.groupname);
+ if (NULL == grp && NULL == (grp = getgrgid(pwd->pw_gid))) {
+ log_error_write(srv, __FILE__, __LINE__, "sd",
+ "can't find group id", pwd->pw_gid);
return -1;
}
+ }
+
+ if (NULL != grp) {
if (grp->gr_gid == 0) {
log_error_write(srv, __FILE__, __LINE__, "s",
"I will not set gid to 0\n");
Separately, if server.username is not specified, the server will continue to run as root. This behavior may be intended on embedded systems. Should this be allowed? Should a warning be issued? Should we require a config directive to continue to run as root without exiting? The above patch does not address this question.
Related issues
Associated revisions
History
#1 Updated by gstrauss about 1 year ago
- Related to Bug #1336: server.username & server.groupname added
#2 Updated by gstrauss about 1 year ago
- Related to deleted (Bug #1336: server.username & server.groupname)
#3 Updated by gstrauss about 1 year ago
- Subject changed from security: root groups exposed if server.groupname not set to server.groupname not required with server.username
#4 Updated by gstrauss about 1 year ago
- Related to Bug #1336: server.username & server.groupname added
#5 Updated by gstrauss about 1 year ago
(changed ticket title on this private ticket since the title showed up on the non-private ticket when I marked them related)
Original title: security: root groups exposed if server.groupname not set to server.groupname not required with server.username
#6 Updated by stbuehler about 1 year ago
In the past people sometimes asked how to run lighty as root and complained that setting username = "root" didn't work. My basic opinion was: if you can't figure it out yourself how to run it as root, you shouldn't.
Defaulting the group to the users default group sounds fine.
#7 Updated by gstrauss about 1 year ago
- Target version changed from 1.4.40 to 1.4.41
#8 Updated by gstrauss 11 months ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 558bfc4e1e629688fc78d16b18413ff9802dc8f4.
Also available in: Atom
[security] ensure gid != 0 if server.username set (fixes #2725)
server.username can not be root or 0.
server.groupname can not be root or 0.
If server.username is set, previous behavior might retain gid 0
if server.groupname was not set.
New behavior calls setgid() on server.username primary gid, and
then initgroups on server.username if server.username is set but
server.groupname is not set.
x-ref:
"server.groupname not required with server.username"
https://redmine.lighttpd.net/issues/2725