2020-07-02 23:52:46 |
Matthew Ruffell |
bug |
|
|
added bug |
2020-07-02 23:52:55 |
Matthew Ruffell |
nominated for series |
|
Ubuntu Groovy |
|
2020-07-02 23:52:55 |
Matthew Ruffell |
bug task added |
|
linux (Ubuntu Groovy) |
|
2020-07-02 23:53:01 |
Matthew Ruffell |
linux (Ubuntu Groovy): status |
New |
Fix Committed |
|
2020-07-02 23:53:31 |
Matthew Ruffell |
bug task added |
|
procps (Ubuntu) |
|
2020-07-02 23:53:39 |
Matthew Ruffell |
procps (Ubuntu Groovy): status |
New |
In Progress |
|
2020-07-02 23:53:44 |
Matthew Ruffell |
procps (Ubuntu Groovy): assignee |
|
Matthew Ruffell (mruffell) |
|
2020-07-02 23:56:19 |
Matthew Ruffell |
bug task added |
|
util-linux (Ubuntu) |
|
2020-07-02 23:56:26 |
Matthew Ruffell |
util-linux (Ubuntu Groovy): status |
New |
In Progress |
|
2020-07-02 23:56:30 |
Matthew Ruffell |
util-linux (Ubuntu Groovy): assignee |
|
Matthew Ruffell (mruffell) |
|
2020-07-03 00:13:42 |
Dominique Poulain |
bug |
|
|
added subscriber Dominique Poulain |
2020-07-03 02:31:04 |
Matthew Ruffell |
attachment added |
|
procps debdiff for Groovy https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1886112/+attachment/5389194/+files/lp1886112_procps_groovy.debdiff |
|
2020-07-03 04:28:43 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2020-07-03 04:28:44 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Terry Rudd |
2020-07-03 04:28:52 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2020-07-04 02:03:43 |
Matthew Ruffell |
attachment removed |
procps debdiff for Groovy https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1886112/+attachment/5389194/+files/lp1886112_procps_groovy.debdiff |
|
|
2020-07-05 23:02:22 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
2020-07-06 00:35:55 |
Matthew Ruffell |
description |
[Impact]
This bug implements the enablement of CONFIG_SECURITY_DMESG_RESTRICT feature by default for Groovy onward, proposed to ubuntu-devel:
https://lists.ubuntu.com/archives/ubuntu-devel/2020-June/041063.html
The kernel log buffer contains a wealth of sensitive information, such as detailed call traces and kernel addresses found in register dumps in kernel oops messages.
Exploit developers and attackers can leverage these information leaks to get past KASLR, and they can use the kernel log buffer to get instant feedback on their privilege escalation attacks, as failures will be shown as further oops messages, which attackers can use to fix and tune their programs until they work.
Currently, if I create a new, unprivileged user on a Focal system, they cannot access /var/log/kern.log, /var/log/syslog or see system events in journalctl. But yet, they are given free reign to the kernel log buffer.
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ journalctl
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal' can see all messages.
Pass -q to turn off this notice.
Jun 16 23:44:59 ubuntu systemd[2328]: Reached target Main User Target.
Jun 16 23:44:59 ubuntu systemd[2328]: Startup finished in 69ms.
$ dmesg
[ 0.000000] Linux version 5.4.0-34-generic (buildd at lcy01-amd64-014)
(gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #38-Ubuntu SMP Mon May 25 15:46:55
UTC 2020 (Ubuntu 5.4.0-34.38-generic 5.4.41)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.4.0-34-generic
root=UUID=f9f909c3-782a-43c2-a59d-c789656b4188 ro
...
I propose that we restrict access to dmesg to users in group 'adm' like so:
1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
2) Following changes to /bin/dmesg permissions in package 'util-linux'
- Ownership changes to root:adm
- Permissions changed to 0750 (-rwxr-x---)
- Add cap_syslog capability to binary.
3) Add a commented out '# kernel.dmesg_restrict = 0' to
/etc/sysctl.d/10-kernel-hardening.conf
For most users, they will use the initial admin account, which is in the 'adm' group already, and will see no impact to these changes. If a log scraper type program needs access to dmesg, the user the daemon runs as can simply be added to the 'adm' group.
[Testcase]
Currently, all users can run /usr/bin/dmesg to view the kernel log buffer:
$ dmesg
[ 0.000000] Linux version 5.4.0-34-generic (buildd at lcy01-amd64-014)
(gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #38-Ubuntu SMP Mon May 25 15:46:55
UTC 2020 (Ubuntu 5.4.0-34.38-generic 5.4.41)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.4.0-34-generic
root=UUID=f9f909c3-782a-43c2-a59d-c789656b4188 ro
...
When the changes are applied, the default admin user will be able to view dmesg (since they are in group 'adm'), while new unprivileged users will not.
$ whoami
ubuntu
$ groups
ubuntu adm cdrom sudo dip plugdev
$ dmesg
[ 0.000000] Linux version 5.4.0-34-generic (buildd at lcy01-amd64-014)
(gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #38-Ubuntu SMP Mon May 25 15:46:55
UTC 2020 (Ubuntu 5.4.0-34.38-generic 5.4.41)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.4.0-34-generic
root=UUID=f9f909c3-782a-43c2-a59d-c789656b4188 ro
...
$ sudo adduser dave
$ su dave
$ groups
dave
$ dmesg
-bash: /usr/bin/dmesg: Permission denied
[Regression Potential]
Some users or log scraper type programs may need to view the kernel log buffer, or have access to dmesg. In this case, the underlying service user would need to be added to the 'adm' group.
Users have the ability to disable DMESG_RESTRICT by uncommenting the sysctl in /etc/sysctl.d/10-kernel-hardening.conf. |
[Impact]
This bug implements the enablement of CONFIG_SECURITY_DMESG_RESTRICT feature by default for Groovy onward, proposed to ubuntu-devel:
https://lists.ubuntu.com/archives/ubuntu-devel/2020-June/041063.html
The kernel log buffer contains a wealth of sensitive information, such as detailed call traces and kernel addresses found in register dumps in kernel oops messages.
Exploit developers and attackers can leverage these information leaks to get past KASLR, and they can use the kernel log buffer to get instant feedback on their privilege escalation attacks, as failures will be shown as further oops messages, which attackers can use to fix and tune their programs until they work.
Currently, if I create a new, unprivileged user on a Focal system, they cannot access /var/log/kern.log, /var/log/syslog or see system events in journalctl. But yet, they are given free reign to the kernel log buffer.
$ sudo adduser dave
$ su dave
$ groups
dave
$ cat /var/log/kern.log
cat: /var/log/kern.log: Permission denied
$ cat /var/log/syslog
cat: /var/log/syslog: Permission denied
$ journalctl
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal' can see all messages.
Pass -q to turn off this notice.
Jun 16 23:44:59 ubuntu systemd[2328]: Reached target Main User Target.
Jun 16 23:44:59 ubuntu systemd[2328]: Startup finished in 69ms.
$ dmesg
[ 0.000000] Linux version 5.4.0-34-generic (buildd at lcy01-amd64-014)
(gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #38-Ubuntu SMP Mon May 25 15:46:55
UTC 2020 (Ubuntu 5.4.0-34.38-generic 5.4.41)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.4.0-34-generic
root=UUID=f9f909c3-782a-43c2-a59d-c789656b4188 ro
...
I propose that we restrict access to dmesg to users in group 'adm' like so:
1) Add kernel.dmesg_restrict = 1 to
/etc/sysctl.d/10-kernel-hardening.conf
2) Following changes to /bin/dmesg permissions in package 'util-linux'
- Ownership changes to root:adm
- Permissions changed to 0750 (-rwxr-x---)
- Add cap_syslog capability to binary.
For most users, they will use the initial admin account, which is in the 'adm' group already, and will see no impact to these changes. If a log scraper type program needs access to dmesg, the user the daemon runs as can simply be added to the 'adm' group.
[Testcase]
Currently, all users can run /usr/bin/dmesg to view the kernel log buffer:
$ dmesg
[ 0.000000] Linux version 5.4.0-34-generic (buildd at lcy01-amd64-014)
(gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #38-Ubuntu SMP Mon May 25 15:46:55
UTC 2020 (Ubuntu 5.4.0-34.38-generic 5.4.41)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.4.0-34-generic
root=UUID=f9f909c3-782a-43c2-a59d-c789656b4188 ro
...
When the changes are applied, the default admin user will be able to view dmesg (since they are in group 'adm'), while new unprivileged users will not.
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/lp1886112-test
$ whoami
ubuntu
$ groups
ubuntu adm cdrom sudo dip plugdev
$ dmesg
[ 0.000000] Linux version 5.4.0-34-generic (buildd at lcy01-amd64-014)
(gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #38-Ubuntu SMP Mon May 25 15:46:55
UTC 2020 (Ubuntu 5.4.0-34.38-generic 5.4.41)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.4.0-34-generic
root=UUID=f9f909c3-782a-43c2-a59d-c789656b4188 ro
...
$ sudo adduser dave
$ su dave
$ groups
dave
$ dmesg
-bash: /usr/bin/dmesg: Permission denied
[Regression Potential]
Some users or log scraper type programs may need to view the kernel log buffer, or have access to dmesg. In this case, the underlying service user would need to be added to the 'adm' group.
Users have the ability to disable DMESG_RESTRICT by changing kernel.dmesg_restrict sysctl in /etc/sysctl.d/10-kernel-hardening.conf from '1' to '0', followed by a reboot. |
|
2020-07-06 14:54:07 |
Dan Streetman |
bug |
|
|
added subscriber Dan Streetman |
2020-07-24 00:25:51 |
Matthew Ruffell |
attachment added |
|
procps debdiff for Groovy https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886112/+attachment/5395388/+files/lp1886112_procps_groovy.debdiff |
|
2020-07-24 00:27:15 |
Matthew Ruffell |
attachment added |
|
util-linux debdiff for Groovy https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886112/+attachment/5395389/+files/lp1886112_util-linux_groovy.debdiff |
|
2020-07-30 14:49:28 |
Mathew Hodson |
linux (Ubuntu Groovy): importance |
Undecided |
Wishlist |
|
2020-07-30 14:49:32 |
Mathew Hodson |
procps (Ubuntu Groovy): importance |
Undecided |
Wishlist |
|
2020-07-30 14:49:34 |
Mathew Hodson |
util-linux (Ubuntu Groovy): importance |
Undecided |
Wishlist |
|
2020-08-10 23:48:08 |
Matthew Ruffell |
attachment removed |
util-linux debdiff for Groovy https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886112/+attachment/5395389/+files/lp1886112_util-linux_groovy.debdiff |
|
|
2020-08-10 23:49:04 |
Matthew Ruffell |
attachment added |
|
util-linux debdiff for Groovy https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886112/+attachment/5400541/+files/lp1886112_util-linux_groovy.debdiff |
|
2020-08-31 00:21:13 |
Matthew Ruffell |
util-linux (Ubuntu Groovy): status |
In Progress |
Won't Fix |
|
2020-08-31 00:22:55 |
Matthew Ruffell |
linux (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
2020-09-25 22:23:08 |
Brian Murray |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2020-10-02 00:38:00 |
Launchpad Janitor |
procps (Ubuntu Groovy): status |
In Progress |
Fix Released |
|
2021-01-19 05:05:16 |
Mathew Hodson |
util-linux (Ubuntu): status |
In Progress |
Won't Fix |
|