PAM fscrypt adds root(0) group to all users called by su
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Shadow |
Invalid
|
Undecided
|
Unassigned | ||
fscrypt (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
shadow (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
related packages: /bin/su (from login , shadow)
OS: ubuntu 18.04.1, updated
Bug: a normal user (not in 'root' group), when the PAM module fscrypt is active, all calls of su give the user additional group root(0).
Results: this is a permission escalation, such user can now delete files owned by root group (where permisions are g+w)
Steps to reproduce:
0/ login uses pam unix authentication module (default on ubuntu, no action needed)
0.1/ create a new user:
# useradd developer
1/ verify:
#id developer
// on my system, shows
// uid=1004(developer) gid=1004(developer) groups=
\su - developer -c id
sudo -u developer id
2/ enable pam-fscrypt
# apt install libpam-fscrypt
# pam-auth-update --enable fscrypt
3/ verify again (bug shows)
// repeate step 1/
// the su command will show the bug (sudo won't, interestingly)
\su - developer -c id
// uid=1004(developer) gid=1004(developer) groups=
4/ workaround and return to original state:
pam-auth-update --disable fscrypt
apt remove libpam-fscrypt
Thank you,
Mark, nice discovery, thanks for the report. I've asked upstream fscrypt authors for assistance.
Thanks