Bug #2725
server.groupname not required with server.username
100%
Description
If lighttpd is started as root, it is a security exposure to leave the server running with root groups if server.groupname is not specified. The security exposure includes all groups the root user has active, including supplemental groups; the exposure is in addition to the exposure of gid 0.
diff --git a/src/server.c b/src/server.c index 61d850c..8a2ad12 100644 --- a/src/server.c +++ b/src/server.c @@ -859,6 +859,14 @@ int main (int argc, char **argv) { #ifdef HAVE_PWD_H /* set user and group */ + if (!buffer_string_is_empty(srv->srvconf.groupname)) { + if (NULL == (grp = getgrnam(srv->srvconf.groupname->ptr))) { + log_error_write(srv, __FILE__, __LINE__, "sb", + "can't find groupname", srv->srvconf.groupname); + return -1; + } + } + if (!buffer_string_is_empty(srv->srvconf.username)) { if (NULL == (pwd = getpwnam(srv->srvconf.username->ptr))) { log_error_write(srv, __FILE__, __LINE__, "sb", @@ -871,14 +879,15 @@ int main (int argc, char **argv) { "I will not set uid to 0\n"); return -1; } - } - if (!buffer_string_is_empty(srv->srvconf.groupname)) { - if (NULL == (grp = getgrnam(srv->srvconf.groupname->ptr))) { - log_error_write(srv, __FILE__, __LINE__, "sb", - "can't find groupname", srv->srvconf.groupname); + if (NULL == grp && NULL == (grp = getgrgid(pwd->pw_gid))) { + log_error_write(srv, __FILE__, __LINE__, "sd", + "can't find group id", pwd->pw_gid); return -1; } + } + + if (NULL != grp) { if (grp->gr_gid == 0) { log_error_write(srv, __FILE__, __LINE__, "s", "I will not set gid to 0\n");
Separately, if server.username is not specified, the server will continue to run as root. This behavior may be intended on embedded systems. Should this be allowed? Should a warning be issued? Should we require a config directive to continue to run as root without exiting? The above patch does not address this question.
Related issues
Associated revisions
History
Updated by gstrauss about 2 years ago
- Related to Bug #1336: server.username & server.groupname added
Updated by gstrauss about 2 years ago
- Related to deleted (Bug #1336: server.username & server.groupname)
Updated by gstrauss about 2 years ago
- Subject changed from security: root groups exposed if server.groupname not set to server.groupname not required with server.username
Updated by gstrauss about 2 years ago
- Related to Bug #1336: server.username & server.groupname added
Updated by gstrauss about 2 years ago
(changed ticket title on this private ticket since the title showed up on the non-private ticket when I marked them related)
Original title: security: root groups exposed if server.groupname not set to server.groupname not required with server.username
Updated by stbuehler about 2 years ago
In the past people sometimes asked how to run lighty as root and complained that setting username = "root" didn't work. My basic opinion was: if you can't figure it out yourself how to run it as root, you shouldn't.
Defaulting the group to the users default group sounds fine.
Updated by gstrauss over 1 year ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 558bfc4e1e629688fc78d16b18413ff9802dc8f4.
Also available in: Atom
[security] ensure gid != 0 if server.username set (fixes #2725)
server.username can not be root or 0.
server.groupname can not be root or 0.
If server.username is set, previous behavior might retain gid 0
if server.groupname was not set.
New behavior calls setgid() on server.username primary gid, and
then initgroups on server.username if server.username is set but
server.groupname is not set.
x-ref:
"server.groupname not required with server.username"
https://redmine.lighttpd.net/issues/2725