Hello everyone,
I encountered an issue with Pound 3 last night, and I believe I
discovered a fairly critical (though not security related) bug.
Debian and Ubuntu seem to be the only distributions that have pound 3 in
their repositories, I'm CCing Debian package's maintainer, as he might
be interested in this as well.
Expected behavior: latest Pound 3 binds to ports <1024 before using
setuid() to switch to an unprivileged user
Actual behavior: latest Pound 3 attempts to bind to ports <1024 as an
unprivileged user, resulting in bind failure
Tested platforms: Debian 11(binary, source installation), Rocky Linux 8
(source installation)
Steps to reproduce:
- install latest Pound 3 from apt or compile from source on latest Debian 11
- use an equivalent of the following config file (HTTPListener must have
port<1024 assigned)
- (same behavior with loopback addresses)
Global:
User: "_pound"
Group: "_pound"
#RootJail "/chroot/pound"
Backends:
- &be
Address: 192.168.121.153
Port: 8089
# This section must exist, but may be empty.
HTTPListeners:
- Address: 192.168.121.153
Port: 80
Services:
- Backends:
- *be
# This section must exist, but may be empty.
HTTPSListeners:
- pound then fails to bind with the following error message:
Listener 192.168.121.153:http: can't bind socket
strace reveals that the process first sets setuid() and setgid(),
BEFORE attempting to bind(), which results in EACCES (Permission denied)
this is further proven by the fact that bind() works flawlessly if we
fill in root in the User and Group fields (which is a very bad idea for
obvious reasons)
My fix:
(Please note that I'm neither a developer nor a C expert)
What I did was simply move the code block that takes care of setuid()
and setgid() BELOW the bind() procedures.
The new binary was able to bind to ports < 1024 without running as root.
Please see diff with my modification as en example
Best regards,
Edmond Janouš
---
--- pound_old.c 2022-05-31 13:05:54.107005905 +0000
+++ pound.c 2022-05-31 12:07:47.737356535 +0000
@@ -123,22 +123,7 @@
fclose(f_pid);
}
- /* chroot, set[ug]id */
- if(global.root_jail)
- if(chroot(global.root_jail)) {
- logmsg(0, "Can't chroot to %s", global.root_jail);
- exit(1);
- }
- if(global.group > 0)
- if(setgid(global.group)) {
- logmsg(0, "Can't setgid %d", global.group);
- exit(1);
- }
- if(global.user > 0)
- if(setuid(global.user)) {
- logmsg(0, "Can't setuid %d", global.user);
- exit(1);
- }
+
/* prepare threads */
pthread_attr_init(&attr);
@@ -267,6 +252,23 @@
listener_poll[n].events = POLLIN;
listeners[n++] = &http_listeners[i];
}
+
+ /* chroot, set[ug]id */
+ if(global.root_jail)
+ if(chroot(global.root_jail)) {
+ logmsg(0, "Can't chroot to %s", global.root_jail);
+ exit(1);
+ }
+ if(global.group > 0)
+ if(setgid(global.group)) {
+ logmsg(0, "Can't setgid %d", global.group);
+ exit(1);
+ }
+ if(global.user > 0)
+ if(setuid(global.user)) {
+ logmsg(0, "Can't setuid %d", global.user);
+ exit(1);
+ }
for(;;) {
poll(listener_poll, n, -1);
--
pound mailing list
pound@apsis.ch
https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
