juju-run unit root escalation vulnerability
Bug #1682411 reported by
Ryan Beisner
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
Critical
|
John A Meinel | ||
2.0 |
Fix Released
|
Critical
|
John A Meinel | ||
2.1 |
Fix Released
|
Critical
|
John A Meinel | ||
2.2 |
Fix Released
|
Critical
|
John A Meinel | ||
juju-core |
Fix Released
|
Critical
|
John A Meinel | ||
1.25 |
Fix Released
|
Critical
|
John A Meinel | ||
juju (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
juju-core (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
juju-core-1 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
If a non-root and non-sudoer user has access to a console or otherwise has the ability remotely execute commands on unit, they can trivially become root with `juju-run <self-unit-name> 'whoami'`.
One specific example - this is the jenkins (non-privileged) user gaining root:
jenkins@
jenkins
jenkins@
[sudo] password for jenkins:
Sorry, try again.
[sudo] password for jenkins:
sudo: 1 incorrect password attempt
jenkins@
root
This is Juju 2.1.2 stable.
CVE References
Changed in juju: | |
importance: | High → Critical |
no longer affects: | juju/2.3 |
Changed in juju: | |
assignee: | nobody → John A Meinel (jameinel) |
status: | Triaged → In Progress |
Changed in juju-core: | |
assignee: | nobody → John A Meinel (jameinel) |
importance: | Undecided → Critical |
status: | New → In Progress |
Changed in juju (Ubuntu): | |
importance: | Undecided → Critical |
importance: | Critical → Undecided |
Changed in juju: | |
milestone: | 2.2-beta4 → 2.2-rc1 |
Changed in juju-core: | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public Security |
Changed in juju: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
This isn't on arbitrary machines, but it is true on machines that were deployed with Juju.
"juju-run" runs inside of a hook context, which is inherently defined as 'run as root'.
We could potentially filter out access to juju-run via a group. The 'ubuntu' user would obviously be in that group, and charms could potentially add other users if they wanted to.
The actual goal is to allow running applications to report back information (for example juju-run status-set "blocked" "something is wrong").
We could try to limit the context of 'juju-run' to a non-root context, but then it inherently doesn't have full charm context. That would also affect people using:
juju run --all myscript
since that would change the privileges that you have for myscript.
Its a bit hard to say "apps have access to juju-run if they want to run something in a charm context" but then say "but you don't have root access, which is what charm context is".
Needs some thought, to sort out what is really useful for an application to have access to (setting live status would be very useful), vs what vulnerabilities we raise. (apt install apache defaults to not letting the apache user get access to root.)