VDB
KO
HIGH 7.9

GHSA-q38v-wp89-2w55

sh _uid does not drop supplementary groups (incomplete privilege drop)

Details

### Impact The `_uid` option performed an incomplete privilege drop on Linux/Unix-like systems.

When `sh` was run from a process with elevated privileges, such as root, and a command was launched with `_uid=<unprivileged user>`, the child process changed its UID and primary GID but did not reset its supplementary groups. As a result, the child process could retain the parent process’s supplementary groups, potentially including privileged groups such as root, docker, disk, shadow, or sudo.

This could allow a subprocess that was expected to run with reduced privileges to access files or resources available to the original process’s supplementary groups. Users are impacted if they rely on `_uid` as a privilege boundary when launching commands from a privileged parent process.

### Patches Upgrade to version >= 2.2.4

### Workarounds Avoid using `_uid` when the user represents a less-privileged user.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / sh
Introduced in: 0 Fixed in: 2.2.4
Fix pip install --upgrade 'sh>=2.2.4'

References