2018-08-01 23:32:34 |
TJ |
bug |
|
|
added bug |
2018-08-01 23:37:27 |
Emily Ratliff |
bug |
|
|
added subscriber Ubuntu Security Team |
2018-08-01 23:55:05 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2018-08-02 00:12:47 |
TJ |
description |
This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1.
On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do:
tail -f /var/log/syslog
when that file is owned by syslog:adm and is g=r.
I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly.
The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash"
After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1.
I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map.
4294967295 == -1 == 0xFFFFFFFF
The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. |
This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1.
On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do:
tail -f /var/log/syslog
when that file is owned by syslog:adm and is g=r.
I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly.
The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash"
After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1.
I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map.
4294967295 == -1 == 0xFFFFFFFF
The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far.
I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch.
I suspect the backporting has missed something.
The Ubuntu backport patch is:
https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu/bionic-devel&id=840c50182f5ab1ba28c1d20cce4c207364852935 |
|
2018-08-02 00:18:42 |
Launchpad Janitor |
policykit-1 (Ubuntu): status |
New |
Confirmed |
|
2018-08-02 01:42:47 |
TJ |
bug watch added |
|
https://bugs.freedesktop.org/show_bug.cgi?id=76358 |
|
2018-08-02 04:45:17 |
Alex Murray |
attachment added |
|
Screenshot from 2018-08-02 14-11-37.png https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+attachment/5170643/+files/Screenshot%20from%202018-08-02%2014-11-37.png |
|
2018-08-02 10:33:52 |
TJ |
attachment added |
|
List of packages upgraded July 28th https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+attachment/5170768/+files/bug-groups-packages-updated.log |
|
2018-08-02 11:42:02 |
TJ |
summary |
Regression due to CVE-2018-1116 (processes not inheriting user ID or groups ) |
Regression due to CVE-2018-1116 (processes not inheriting user's groups ) |
|
2018-08-02 12:06:52 |
TJ |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779988 |
|
2018-08-02 12:32:30 |
Marc Deslauriers |
bug |
|
|
added subscriber Marc Deslauriers |
2018-08-04 10:33:43 |
TJ |
summary |
Regression due to CVE-2018-1116 (processes not inheriting user's groups ) |
Regression due to CVE-2018-1116 (processes not inheriting user's supplementary groups ) |
|
2018-08-06 23:30:51 |
Tom Reynolds |
bug |
|
|
added subscriber Tom Reynolds |
2018-08-27 15:34:29 |
Oliver Sturm |
bug |
|
|
added subscriber Oliver Sturm |
2018-10-08 17:25:40 |
Dimitri John Ledkov |
tags |
|
regression-update |
|
2018-10-26 16:05:13 |
TJ |
marked as duplicate |
|
1781418 |
|
2018-10-26 16:05:38 |
TJ |
summary |
Regression due to CVE-2018-1116 (processes not inheriting user's supplementary groups ) |
Regression due to CVE patches in kwallet-pam (processes not inheriting user's supplementary groups ) |
|