| 2022-02-19 01:16:45 |
Seth Arnold |
bug |
|
|
added bug |
| 2022-02-19 01:17:23 |
Seth Arnold |
bug |
|
|
added subscriber Didier Roche |
| 2022-02-21 09:56:18 |
Didier Roche-Tolomelli |
bug |
|
|
added subscriber Jean-Baptiste Lallement |
| 2022-03-08 10:20:48 |
Didier Roche-Tolomelli |
adsys (Ubuntu): status |
New |
Fix Committed |
|
| 2022-03-08 15:39:04 |
Launchpad Janitor |
adsys (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2022-06-08 08:13:11 |
Didier Roche-Tolomelli |
nominated for series |
|
Ubuntu Focal |
|
| 2022-06-08 08:13:11 |
Didier Roche-Tolomelli |
bug task added |
|
adsys (Ubuntu Focal) |
|
| 2022-06-08 13:39:00 |
Didier Roche-Tolomelli |
description |
./internal/policies/scripts/scripts.go ApplyPolicy() unsafe owner changes:
Changing the scripts directory owner allows any user processes to create
symbolic links within, and then they can take ownership of any file on
writable mounts.
If the files must be owned by the user, the best way is to switch to the
user's uid before creating the files. fchown(2) of the file descriptor
before closing it should also work.
I lose track of what's happening around the "Running machine startup
scripts" -- it looks to me like adsys is also *executing* the scripts that
were moments ago given to the user to modify. It is not safe for root to run
user-owned files.
Does the user *have* to own the directory and scripts?
Thanks |
[Impact]
Potential security issues in ApplyPolicy due to race when scripts are enabled.
[Test Plan]
1. Attach your machine to Ubuntu Advantage to get script support.
2. Add a script to one GPO for user login/logout
3. Check the permissions are following what is described from the discussion below.
[Where problems could occur]
Script support was added recently, and it needs Ubuntu Advantage enablement to be activated. However, to this day, there is still no official ubuntu-advantage-desktop-daemon packaged on focal.
----
./internal/policies/scripts/scripts.go ApplyPolicy() unsafe owner changes:
Changing the scripts directory owner allows any user processes to create
symbolic links within, and then they can take ownership of any file on
writable mounts.
If the files must be owned by the user, the best way is to switch to the
user's uid before creating the files. fchown(2) of the file descriptor
before closing it should also work.
I lose track of what's happening around the "Running machine startup
scripts" -- it looks to me like adsys is also *executing* the scripts that
were moments ago given to the user to modify. It is not safe for root to run
user-owned files.
Does the user *have* to own the directory and scripts?
Thanks |
|
| 2022-06-08 13:39:07 |
Didier Roche-Tolomelli |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-06-08 13:40:15 |
Didier Roche-Tolomelli |
description |
[Impact]
Potential security issues in ApplyPolicy due to race when scripts are enabled.
[Test Plan]
1. Attach your machine to Ubuntu Advantage to get script support.
2. Add a script to one GPO for user login/logout
3. Check the permissions are following what is described from the discussion below.
[Where problems could occur]
Script support was added recently, and it needs Ubuntu Advantage enablement to be activated. However, to this day, there is still no official ubuntu-advantage-desktop-daemon packaged on focal.
----
./internal/policies/scripts/scripts.go ApplyPolicy() unsafe owner changes:
Changing the scripts directory owner allows any user processes to create
symbolic links within, and then they can take ownership of any file on
writable mounts.
If the files must be owned by the user, the best way is to switch to the
user's uid before creating the files. fchown(2) of the file descriptor
before closing it should also work.
I lose track of what's happening around the "Running machine startup
scripts" -- it looks to me like adsys is also *executing* the scripts that
were moments ago given to the user to modify. It is not safe for root to run
user-owned files.
Does the user *have* to own the directory and scripts?
Thanks |
[Impact]
Potential security issues in ApplyPolicy due to race when scripts are enabled.
[Test Plan]
1. Attach your machine to Ubuntu Advantage to get script support.
2. Add a script to one GPO for user login/logout
3. Login as an user.
4. Check the permissions are following what is described from the discussion below.
[Where problems could occur]
Script support was added recently, and it needs Ubuntu Advantage enablement to be activated. However, to this day, there is still no official ubuntu-advantage-desktop-daemon packaged on focal.
----
./internal/policies/scripts/scripts.go ApplyPolicy() unsafe owner changes:
Changing the scripts directory owner allows any user processes to create
symbolic links within, and then they can take ownership of any file on
writable mounts.
If the files must be owned by the user, the best way is to switch to the
user's uid before creating the files. fchown(2) of the file descriptor
before closing it should also work.
I lose track of what's happening around the "Running machine startup
scripts" -- it looks to me like adsys is also *executing* the scripts that
were moments ago given to the user to modify. It is not safe for root to run
user-owned files.
Does the user *have* to own the directory and scripts?
Thanks |
|
| 2022-06-08 13:40:47 |
Didier Roche-Tolomelli |
description |
[Impact]
Potential security issues in ApplyPolicy due to race when scripts are enabled.
[Test Plan]
1. Attach your machine to Ubuntu Advantage to get script support.
2. Add a script to one GPO for user login/logout
3. Login as an user.
4. Check the permissions are following what is described from the discussion below.
[Where problems could occur]
Script support was added recently, and it needs Ubuntu Advantage enablement to be activated. However, to this day, there is still no official ubuntu-advantage-desktop-daemon packaged on focal.
----
./internal/policies/scripts/scripts.go ApplyPolicy() unsafe owner changes:
Changing the scripts directory owner allows any user processes to create
symbolic links within, and then they can take ownership of any file on
writable mounts.
If the files must be owned by the user, the best way is to switch to the
user's uid before creating the files. fchown(2) of the file descriptor
before closing it should also work.
I lose track of what's happening around the "Running machine startup
scripts" -- it looks to me like adsys is also *executing* the scripts that
were moments ago given to the user to modify. It is not safe for root to run
user-owned files.
Does the user *have* to own the directory and scripts?
Thanks |
[Impact]
Potential security issues in ApplyPolicy due to race when scripts are enabled.
[Test Plan]
1. Attach your machine to Ubuntu Advantage to get script support.
2. Add a script to one GPO for user login/logout
3. Login as an user, starting a new user session (no session should be currently running for that given user).
4. Check the permissions are following what is described from the discussion below.
[Where problems could occur]
Script support was added recently, and it needs Ubuntu Advantage enablement to be activated. However, to this day, there is still no official ubuntu-advantage-desktop-daemon packaged on focal.
----
./internal/policies/scripts/scripts.go ApplyPolicy() unsafe owner changes:
Changing the scripts directory owner allows any user processes to create
symbolic links within, and then they can take ownership of any file on
writable mounts.
If the files must be owned by the user, the best way is to switch to the
user's uid before creating the files. fchown(2) of the file descriptor
before closing it should also work.
I lose track of what's happening around the "Running machine startup
scripts" -- it looks to me like adsys is also *executing* the scripts that
were moments ago given to the user to modify. It is not safe for root to run
user-owned files.
Does the user *have* to own the directory and scripts?
Thanks |
|
| 2022-06-15 00:02:25 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
| 2022-09-21 09:44:28 |
Łukasz Zemczak |
adsys (Ubuntu Focal): status |
New |
Fix Committed |
|
| 2022-09-21 09:44:30 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2022-09-21 09:44:34 |
Łukasz Zemczak |
tags |
|
verification-needed verification-needed-focal |
|
| 2022-09-26 14:22:15 |
Jean-Baptiste Lallement |
tags |
verification-needed verification-needed-focal |
verification-done verification-done-focal |
|
| 2022-10-05 01:28:34 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2022-10-05 01:36:03 |
Launchpad Janitor |
adsys (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
