Project

General

Profile

Bug #2725

server.groupname not required with server.username

Added by gstrauss 11 months ago. Updated 7 months ago.

Status:
Fixed
Priority:
High
Assignee:
-
Category:
core
Target version:
Start date:
2016-04-11
Due date:
% Done:

100%

Missing in 1.5.x:

Description

If lighttpd is started as root, it is a security exposure to leave the server running with root groups if server.groupname is not specified. The security exposure includes all groups the root user has active, including supplemental groups; the exposure is in addition to the exposure of gid 0.

diff --git a/src/server.c b/src/server.c
index 61d850c..8a2ad12 100644
--- a/src/server.c
+++ b/src/server.c
@@ -859,6 +859,14 @@ int main (int argc, char **argv) {

 #ifdef HAVE_PWD_H
                /* set user and group */
+               if (!buffer_string_is_empty(srv->srvconf.groupname)) {
+                       if (NULL == (grp = getgrnam(srv->srvconf.groupname->ptr))) {
+                               log_error_write(srv, __FILE__, __LINE__, "sb",
+                                       "can't find groupname", srv->srvconf.groupname);
+                               return -1;
+                       }
+               }
+
                if (!buffer_string_is_empty(srv->srvconf.username)) {
                        if (NULL == (pwd = getpwnam(srv->srvconf.username->ptr))) {
                                log_error_write(srv, __FILE__, __LINE__, "sb",
@@ -871,14 +879,15 @@ int main (int argc, char **argv) {
                                                "I will not set uid to 0\n");
                                return -1;
                        }
-               }

-               if (!buffer_string_is_empty(srv->srvconf.groupname)) {
-                       if (NULL == (grp = getgrnam(srv->srvconf.groupname->ptr))) {
-                               log_error_write(srv, __FILE__, __LINE__, "sb",
-                                       "can't find groupname", srv->srvconf.groupname);
+                       if (NULL == grp && NULL == (grp = getgrgid(pwd->pw_gid))) {
+                               log_error_write(srv, __FILE__, __LINE__, "sd",
+                                       "can't find group id", pwd->pw_gid);
                                return -1;
                        }
+               }
+
+               if (NULL != grp) {
                        if (grp->gr_gid == 0) {
                                log_error_write(srv, __FILE__, __LINE__, "s",
                                                "I will not set gid to 0\n");

Separately, if server.username is not specified, the server will continue to run as root. This behavior may be intended on embedded systems. Should this be allowed? Should a warning be issued? Should we require a config directive to continue to run as root without exiting? The above patch does not address this question.


Related issues

Related to Bug #1336: server.username & server.groupname Wontfix

Associated revisions

Revision 558bfc4e (diff)
Added by gstrauss 7 months ago

[security] ensure gid != 0 if server.username set (fixes #2725)

server.username can not be root or 0.
server.groupname can not be root or 0.

If server.username is set, previous behavior might retain gid 0
if server.groupname was not set.

New behavior calls setgid() on server.username primary gid, and
then initgroups on server.username if server.username is set but
server.groupname is not set.

x-ref:
"server.groupname not required with server.username"
https://redmine.lighttpd.net/issues/2725

History

#1 Updated by gstrauss 11 months ago

  • Related to Bug #1336: server.username & server.groupname added

#2 Updated by gstrauss 11 months ago

  • Related to deleted (Bug #1336: server.username & server.groupname)

#3 Updated by gstrauss 11 months ago

  • Subject changed from security: root groups exposed if server.groupname not set to server.groupname not required with server.username

#4 Updated by gstrauss 11 months ago

  • Related to Bug #1336: server.username & server.groupname added

#5 Updated by gstrauss 11 months ago

(changed ticket title on this private ticket since the title showed up on the non-private ticket when I marked them related)

Original title: security: root groups exposed if server.groupname not set to server.groupname not required with server.username

#6 Updated by stbuehler 11 months ago

In the past people sometimes asked how to run lighty as root and complained that setting username = "root" didn't work. My basic opinion was: if you can't figure it out yourself how to run it as root, you shouldn't.

Defaulting the group to the users default group sounds fine.

#7 Updated by gstrauss 9 months ago

  • Target version changed from 1.4.40 to 1.4.41

#8 Updated by gstrauss 7 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

#9 Updated by gstrauss 7 months ago

  • Private changed from Yes to No

Also available in: Atom