From patchwork Wed Jan 18 14:24:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Timo Rothenpieler X-Patchwork-Id: 3006 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp3285680dyk; Wed, 18 Jan 2023 06:41:13 -0800 (PST) X-Google-Smtp-Source: AMrXdXuBJme9wC8z9RjpFm/H0kTXLSCGoGWX9+LdKYSi/j4CAA7s7zwYhNWWilReYDmBNfMDruxE X-Received: by 2002:a17:90a:8c97:b0:227:7f5:9fdb with SMTP id b23-20020a17090a8c9700b0022707f59fdbmr7903474pjo.23.1674052872901; Wed, 18 Jan 2023 06:41:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674052872; cv=none; d=google.com; s=arc-20160816; b=rsvY4OrmvrQfrm+vwp3BED3ct2IsMZD3wuBetKLvpt4lmZb39z7RF3WJQyiNqZyKYZ NzP/j+ttuD+idRoDxPqcASipFyDmghK3BuAA0c28dcZ6qtwnKijRWfbjKqbdsv21C0iD ASevSFsCOUtapXWqBlR6KuAGPdoOhA9b8vy2fZ+GkRff19bRymXJBkJcFi0m1ZlRBe7H 01bdoQ+5AzXs8h32gYMTnfZ0GkGbPe4jhM+M7nddvqiBh9ZcNYCuEWihWgRBb60rKQGB 9/9WkD6zaP4XoUGLvC5QVcdDWV/VGamfI1HZtprj3+KofwrhiTSVUpSe0vu9yaxe9KyX CcYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=sV3bTQmhVhfpDUN31sO28WqoHC9ZAB4XmeJrZswnXaU=; b=z0kNb76g5M+Ogt4mliV7AUbYsbxpHFr4srdn4keHc8FtGS5T+AVJcXTjQkoBpY3ngx Y6lva49XAJcqGU1VWkpXzcmcag/N12KdnlTMLh1c181MvopTdeExx+NescFUsvIXX8hw PXiCnjuFgXzoRum+9ta/OIb1foAldjZkk84luwxGEPFFJZ1AMJKtjX+iOYoF9gBUM6FU sK/wN95Mtr+Fze3rSAj7a6eLHZ9oy+zAI2EC2QpjmBBg/ERLSr2cGePWf/wudlL8A0tO C1QkDvfCvHwLsXdSyiJ0+16xm1FT77dmQgU/Xphi9HpBQwREEa4IeZhX1VT30nN3OGgt rl3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aqR3R779; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WTGWHTlH; dkim=neutral (body hash did not verify) header.i=@rothenpieler.org header.s=mail header.b=nHml25yy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=rothenpieler.org Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id j70-20020a638049000000b004b55673ea6fsi25710528pgd.103.2023.01.18.06.41.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Jan 2023 06:41:12 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aqR3R779; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WTGWHTlH; dkim=neutral (body hash did not verify) header.i=@rothenpieler.org header.s=mail header.b=nHml25yy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=rothenpieler.org Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pI9cQ-0007G6-3H; Wed, 18 Jan 2023 14:40:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pI9cO-0007Fs-Pv for openvpn-devel@lists.sourceforge.net; Wed, 18 Jan 2023 14:40:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/TXjA/wIBi4/sjia5drpCR2DRba5+1KWuUW0pNtM7ug=; b=aqR3R7791lfSTmYIBcNXDy/omw XMKrz0MVFbCHCg5yW6BXMx15lMtYBVOpixLCWmMOPflBYixkl4LXAWLKdxL6x4eTRyA7gtAfZV20T 75Y1xLaEg3qc0k8x6r5a8gAuxEOvAZgnqCVDUpi2Pb1D1BCjtbi81BMr8bhxPz/IHNWQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=/TXjA/wIBi4/sjia5drpCR2DRba5+1KWuUW0pNtM7ug=; b=W TGWHTlH8T07Tx/LO0Eg6kRGqEn5wlarOl6llq3OruGhRDCfUfc68r3xGjxmJHIXhDY5HeDqtYNU50 qdJXUAq135CcExifUOXBLqvbQBquTrDaO2JM6uc4dupeZww88OEsyD6SLQifdSiubH5OPn1B2M+wZ i9ncdirf0kkbfl94=; Received: from btbn.de ([136.243.74.85]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pI9cJ-0002rb-MV for openvpn-devel@lists.sourceforge.net; Wed, 18 Jan 2023 14:40:47 +0000 Received: from [authenticated] by btbn.de (Postfix) with ESMTPSA id B03611AFA5E; Wed, 18 Jan 2023 15:24:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rothenpieler.org; s=mail; t=1674051865; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/TXjA/wIBi4/sjia5drpCR2DRba5+1KWuUW0pNtM7ug=; b=nHml25yy2BCHAEtxPSjwvz3LRgSitWyJHE0FDcgCltRzB8ZGMTg5RT5kI0oYFLxASkFmqK ivqNbt6T2I9Y0BTjKN7PX2CHqA0tPvfYLknbkl4uqaKENuPSRQJIwrfg7luFGGTCuSn5zH 7LT39h7d19POtVmJlZ5ejWwwkBFZtDvobb8ZplK0oAk82MZ0cKQo9hKeirnd1ODCGgKMiD 7gQXN9nNhb/yzoueSpwu3wlGNYbstNiFkAKJH+StyTbGxpDO8bGuxryJTAEtpVApUJbwZT g5vAOErTAHOLgcHW5pc8vlPNGY/uGbbx1c1J2JRVHuDg4zQ4IbK/yEjEOx/0cw== From: Timo Rothenpieler To: openvpn-devel@lists.sourceforge.net Date: Wed, 18 Jan 2023 15:24:28 +0100 Message-Id: <20230118142428.162-1-timo@rothenpieler.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The bounding set being empty will overpower the likes of su/sudo and will make it impossible for any child processes to ever gain additional privileges again. This fixes https://github.com/OpenVPN/openvpn/issues/220 Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1pI9cJ-0002rb-MV Subject: [Openvpn-devel] [PATCH] Don't clear capability bounding set on capng_change_id X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1755371665106135152?= X-GMAIL-MSGID: =?utf-8?q?1755371665106135152?= The bounding set being empty will overpower the likes of su/sudo and will make it impossible for any child processes to ever gain additional privileges again. This fixes https://github.com/OpenVPN/openvpn/issues/220 Signed-off-by: Timo Rothenpieler Acked-by: Gert Doering --- src/openvpn/platform.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index 1b5fa9ad..580c4cb8 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -246,7 +246,7 @@ platform_user_group_set(const struct platform_state_user *user_state, /* Change to new UID/GID. * capng_change_id() internally calls capng_apply() to apply prepared capabilities. */ - res = capng_change_id(new_uid, new_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING); + res = capng_change_id(new_uid, new_gid, CAPNG_DROP_SUPP_GRP); if (res == -4 || res == -6) { /* -4 and -6 mean failure of setuid/gid respectively.