> From: Solar Designer <so...@openwall.com> > Sent: Friday, May 16, 2025 10:59 PM > To: Carlos O'Donell <car...@redhat.com> > Cc: oss-security@lists.openwall.com > Subject: Re: [oss-security] The GNU C Library security advisories update for > 2025-05-16 > > [...] > > Notably, Go produces static binaries, and I guess would include glibc from > its own build? Do they also use any of the affected functions? > Searching around shows people building Go programs complain about the glibc > "warning: Using 'getaddrinfo' in statically linked applications requires at > runtime the shared libraries from the glibc version used for linking" (and > ditto for some other functions), but only a subset (maybe > none?) of those programs would be installed SUID/SGID/setcaps. Are we aware > of any? > > Alexander >
Go has poor support for SUID/SGID out of the box, due to interactions between the semantics of goroutines and Linux setugid syscalls applying on a per-thread basis. AIUI it's explicitly advised to not drop/gain privileges within a Golang binary itself. I would imagine capabilities have similar drawbacks since they are also per-thread attributes. OTOH, much of the Golang software I've seen that does need privileges tends to be run as root directly, making this attack a bit of a moot point.
