Your message dated Fri, 15 Nov 2024 19:35:24 +0000
with message-id <[email protected]>
and subject line Bug#1082326: fixed in proftpd-dfsg 1.3.8.b+dfsg-4
has caused the Debian Bug report #1082326,
regarding Supplemental Group Inheritance Grants Unintended Access to GID 0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1082326: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082326
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: proftpd-core
Version: 1.3.8+dfsg-4+deb12u3
Severity: grave

We've run into a problem with proftpd + mod_sftp + mod_sql, where a
user with no supplemental groups will incorrectly inherit supplemental
groups from the parent process. In ProFTPD Version 1.3.5, this
behavior resulted in users gaining supplemental membership in nogroup,
which had minimal security implications. In 1.3.8, it appears that the
parent process retains supplemental GID 0, which is inherited by child
processes and not overwritten if the authenticated user has no
supplemental groups.

On proftpd startup, the toplevel process supplemental groups were
previously set to those system groups associated with the user
specified in the User directive along with the group specified in the
Group directive. With the default config and system group membership,
this arrangement historically resulted in nogroup being the only
supplemental group. Since membership in nogroup provides essentially
no additional privilege, previous versions masked what appears to be a
longstanding (but questionable) behavior in proftpd where if a user
has no supplemental groups, the supplemental group memberships
inherited from the parent process are not discarded.

Unfortunately, the fix for
https://github.com/proftpd/proftpd/issues/808 removes code which
previously caused proftpd to overwrite its supplemental group
membership when configured to run as non-root. As a result, the
parent's supplemental group memberships at startup time (notably
supplemental GID 0) are retained and will be inherited by child
processes even if the User and Group directives are present. Users
with no supplemental groups of their own will keep this inherited
supplemental GID, granting them access to files/directories owned by
the root group.

-- 
Brian Ristuccia

--- End Message ---
--- Begin Message ---
Source: proftpd-dfsg
Source-Version: 1.3.8.b+dfsg-4
Done: Hilmar Preuße <[email protected]>

We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilmar Preuße <[email protected]> (supplier of updated proftpd-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Nov 2024 20:17:36 +0100
Source: proftpd-dfsg
Architecture: source
Version: 1.3.8.b+dfsg-4
Distribution: unstable
Urgency: high
Maintainer: ProFTPD Maintainance Team 
<[email protected]>
Changed-By: Hilmar Preuße <[email protected]>
Closes: 1082326
Changes:
 proftpd-dfsg (1.3.8.b+dfsg-4) unstable; urgency=high
 .
   * Patch for issue Issue #1830 (Closes: #1082326).
     Supplemental Group Inheritance Grants Unintended Access to GID 0
   * Disable netaddr_get_addr_test test for now; it fails on risc64.
Checksums-Sha1:
 d6b45b52f79eb6ad78a1837891a24d1a5b24edba 3371 proftpd-dfsg_1.3.8.b+dfsg-4.dsc
 d84b655bff26c15a571eaab4e44ee7b40ac8449b 78616 
proftpd-dfsg_1.3.8.b+dfsg-4.debian.tar.xz
 ab8f9201f339e7a9d5cfe75ca62bccc4d6050fa0 6062 
proftpd-dfsg_1.3.8.b+dfsg-4_source.buildinfo
Checksums-Sha256:
 ed846e50ebbae3583e9cc6a64688f5d29e056c89325456fbb5b118511e0232c9 3371 
proftpd-dfsg_1.3.8.b+dfsg-4.dsc
 53965b4154cc64be62cacbc5a722d29cb19dda280645451800e6287da2d34eb3 78616 
proftpd-dfsg_1.3.8.b+dfsg-4.debian.tar.xz
 94fc485c85bc92d4c587968c4148e8a1b0e018c50ee0147a3a40e18eb044323e 6062 
proftpd-dfsg_1.3.8.b+dfsg-4_source.buildinfo
Files:
 c17fa53704f608fb949b608e0611e66a 3371 net optional 
proftpd-dfsg_1.3.8.b+dfsg-4.dsc
 f204b9413d29b60f3bda5e114424b85d 78616 net optional 
proftpd-dfsg_1.3.8.b+dfsg-4.debian.tar.xz
 d4fcbaaa57e7b39bc58f34af676eb56d 6062 net optional 
proftpd-dfsg_1.3.8.b+dfsg-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEaXGmC/nkbIhxf16kxiZYRqvgLIsFAmc3nn1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY5
NzFBNjBCRjlFNDZDODg3MTdGNUVBNEM2MjY1ODQ2QUJFMDJDOEIACgkQxiZYRqvg
LIvnIxAAqI8N8iJDN5qEN4rr2Sj8z1tssJAb76PT52+c4zgvKZbpUhhex/w9AxEX
EPgon0R9il+Y1zdIdLngySLTKHjmgwStmvaj0FZiLftGV98z1sGgC5YdBty7lfkp
UuiU/H3kapNWxBwWf81FVc2h5H8gWeevFYvOmF3p4fj1ag/k1ZuV9kwI7k8f/8Fr
RuNbNP1OhCInlTR4wTthSc99iUpp1APBwMzl9j2d+E2G0N4xKwYUb3DeAQrBLJns
vK/JA0XLOvkJ9FsdiIpLh+/D0I/vSEjgaP+SwG81P8AsPcbo1DnNm7eXtWIm4DtF
Szl5EYXwxWu9LFV/zWEuynOcf4VXMEgulIcwa28fOWQ9RwrAYCA+eKQTg/JJcV4A
6p/AYC0eJfj7DwKlilea8SXFyRke0lzzPtIxECmM538gAqF+ymfUzHZeqhzj+Wt1
D3L4wxCGOt/mxfZZGSWc8OafNyLURQwpgDC9551M+piyd2KYjsNghxJf4jYqtsB3
ANdBKaUxAOSW4eIFYgB5yM0QLugm5kbolU1jT4N2pBH9d6dNOJikIz4vk8j/AKHN
7HKZksH+REdc7UFjj5Dn9npyxddXUI4XteRC4mjkJCHLcqbNeCQHBYkO9OzgXr2X
A7d8B8wWxFi+mY2c/uLKd12x96GCGCo/XE8xPTrwmeeJASWgZRw=
=v+wr
-----END PGP SIGNATURE-----

Attachment: pgpKHw59VGnuJ.pgp
Description: PGP signature


--- End Message ---

Reply via email to