Bug 65684 (CVE-2005-2496) - VUL-0: CVE-2005-2496: xntpd: using wrong group for dropping privileges
Summary: VUL-0: CVE-2005-2496: xntpd: using wrong group for dropping privileges
Status: RESOLVED FIXED
Alias: CVE-2005-2496
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Hendrik Vogelsang
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2005-2496: CVSS v2 Base Score: 4....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-10 19:26 UTC by Thomas Biege
Modified: 2021-11-08 10:18 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
ntpd-using_wrong_group.diff (339 bytes, patch)
2005-02-10 19:31 UTC, Thomas Biege 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-02-10 19:26:52 UTC 
Hi, 
this one was reported to us 
 
From: Dax Kelson <dax@gurulabs.com> 
To: security@suse.de 
Date: Wed, 09 Feb 2005 17:03:00 -0700 
Subject: [security@suse.de] *SECURITY* problem with SLES9 and SL9.2 
Errors-To: security-bounces+thomas=suse.de@suse.de 
 
Historically many security problems have been discovered with the NTP 
daemon, ntpd. Because of this modern Linux distributions don't run ntpd 
as root any more and have it drop privileges. 
 
This is only done part way on SLES9 and SL9.2. 
 
# ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup 
COMMAND            PID RUSER    EUSER    RGROUP   EGROUP 
ntpd              6149 ntp      ntp      root     root 
 
You see that the group is still root.  This is a real security problem, 
but not a huge one in a system with the default configuration as ntpd is 
chrooted by to a directory tree and none of the files in it are writable 
by the root group. 
 
The solution is to add a "ntp" group to the system and change the SysV 
init script to use "-u ntp:ntp" instead of the current "-u ntp". 
 
Dax Kelson 
Guru Labs
Comment 1 Thomas Biege 2005-02-10 19:26:52 UTC 
<!-- SBZ_reproduce  -->
rcxntpd start 
ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup
Comment 2 Thomas Biege 2005-02-10 19:30:38 UTC 
Debugging the problem revealed that the source of the evil is a bug in the 
ntpd.c code. 
 
Using a numerical GID works but not using a string. If a string was used the 
ntpd daemon looks up the gid to the corresponding name and then uses the 
gid of the user to switch to and not the gid of the group. ;)
Comment 3 Thomas Biege 2005-02-10 19:31:34 UTC 
Created attachment 28383 [details]
ntpd-using_wrong_group.diff
Comment 4 Thomas Biege 2005-02-10 19:32:56 UTC 
I think a stable-only fix will suffice because the group 'ntp' belongs to  
'nogroup' which isn't a dangerous substitute for any other group.
Comment 5 Hendrik Vogelsang 2005-02-10 19:55:55 UTC 
But in stable we dont start ntpd with a group argument. So it uses root. Is that
ok too?

The patch works by the way,,,
Comment 6 Hendrik Vogelsang 2005-02-10 19:58:11 UTC 
sorry that was mixed up.

If we only fix it in stable then on released producta ntpd runs with the group
root and not with nogroup. Because we dont use the group argument there
Comment 7 Thomas Biege 2005-02-10 20:09:29 UTC 
oh.. i see. 
 
don't care. let's fix it in stable only and add it to xntp for possible future 
updates.
Comment 8 Hendrik Vogelsang 2005-02-10 20:15:03 UTC 
ok so i use a group argument (ntp:nogroup) plus your patch if anybody wants to
use another group.
Comment 9 Hendrik Vogelsang 2005-02-10 20:58:13 UTC 
checked in
Comment 10 Thomas Biege 2005-08-26 07:43:21 UTC 
CAN-2005-2496
Comment 11 Thomas Biege 2009-10-13 21:04:40 UTC 
CVE-2005-2496: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)