Skip to content

Add POS36-C runtime safety check to setuid and security documentation#817

Open
mcepl wants to merge 4 commits intoluvit:masterfrom
openSUSE-Python:unsafe-setuid
Open

Add POS36-C runtime safety check to setuid and security documentation#817
mcepl wants to merge 4 commits intoluvit:masterfrom
openSUSE-Python:unsafe-setuid

Conversation

@mcepl
Copy link
Copy Markdown
Contributor

@mcepl mcepl commented Mar 18, 2026
edited
Loading

Add a runtime check in luv_setuid() that prevents dropping from root (euid 0) to an unprivileged user while supplementary groups are still set. This addresses the CERT POS36-C vulnerability where setuid() alone does not revoke supplementary group privileges.

The check returns an error instructing users to call uv.setgroups({}) or uv.initgroups() before uv.setuid(). Non-root callers and
root-to-root transitions are unaffected.

Also adds security warnings to setuid/setgid documentation in all
three doc files (docs.md, docs.lua, meta.lua) explaining the correct
privilege-dropping order.

See: https://wiki.sei.cmu.edu/confluence/display/c/POS36-C
Fixes: #341

mcepl added 2 commits March 18, 2026 17:47
@mcepl
Add getgroups, setgroups, and initgroups API functions
b3f8188 
Expose POSIX getgroups(), setgroups(), and initgroups() as Lua-callable
functions (Unix-only). These are needed to properly manage supplementary
group IDs when dropping privileges, addressing the security concern
raised in issue luvit#341 (CERT POS36-C).

New functions:
- uv.getgroups(): returns table of supplementary group IDs
- uv.setgroups(groups): sets supplementary group IDs from a table
- uv.initgroups(user, group): sets groups from the group database

References: luvit#341
@mcepl
Add POS36-C runtime safety check to setuid and security documentation
84f763a 
Add a runtime check in luv_setuid() that prevents dropping from root
(euid 0) to an unprivileged user while supplementary groups are still
set. This addresses the CERT POS36-C vulnerability where setuid()
alone does not revoke supplementary group privileges.

The check returns an error instructing users to call uv.setgroups({})
or uv.initgroups() before uv.setuid(). Non-root callers and
root-to-root transitions are unaffected.

Also adds security warnings to setuid/setgid documentation in all
three doc files (docs.md, docs.lua, meta.lua) explaining the correct
privilege-dropping order.

See: https://wiki.sei.cmu.edu/confluence/display/c/POS36-C
Fixes: luvit#341
@truemedian
Copy link
Copy Markdown
Member

truemedian commented Mar 18, 2026

docs.md and meta.lua are both generated files from the definitions in docs.lua. You need to run docs/docgen.lua to update the files for CI to pass.

@mcepl
Copy link
Copy Markdown
Contributor Author

mcepl commented Mar 18, 2026

docs.md and meta.lua are both generated files

So, they shouldn't be in git at all?

@Bilal2453
Copy link
Copy Markdown
Contributor

Bilal2453 commented Mar 18, 2026

Where else would they be 😆

Bilal2453
Bilal2453 reviewed Mar 18, 2026
View reviewed changes
Bilal2453
Bilal2453 reviewed Mar 18, 2026
View reviewed changes
@squeek502 squeek502 mentioned this pull request Mar 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Bilal2453 Bilal2453 Bilal2453 left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Library calls setuid and/or setgid without setgroups or initgroups

3 participants

@mcepl @truemedian @Bilal2453