Regression due to CVE patches in kwallet-pam (processes not inheriting user's supplementary groups )
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
policykit-1 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1.
On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do:
tail -f /var/log/syslog
when that file is owned by syslog:adm and is g=r.
I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly.
The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash"
After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1.
I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map.
4294967295 == -1 == 0xFFFFFFFF
The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far.
I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch.
I suspect the backporting has missed something.
The Ubuntu backport patch is:
description: | updated |
summary: |
- Regression due to CVE-2018-1116 (processes not inheriting user ID or - groups ) + Regression due to CVE-2018-1116 (processes not inheriting user's groups + ) |
summary: |
- Regression due to CVE-2018-1116 (processes not inheriting user's groups - ) + Regression due to CVE-2018-1116 (processes not inheriting user's + supplementary groups ) |
tags: | added: regression-update |
I observe what is likely the same problem on XUbuntu 16.04.5, running these commands in xfce4-terminal:
user1@mysystem:~$ lsb_release -ds;cat /proc/version;echo $SHELL; groups; groups $(whoami) lcy01-amd64- 024) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~ 16.04.10) ) #31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018
Ubuntu 16.04.5 LTS
Linux version 4.15.0-29-generic (buildd@
/bin/bash
user1
user1 : user1 adm disk fax cdrom sudo dip plugdev users lxd lpadmin sambashare libvirtd vboxusers
user1@mysystem:~$ ps f loginuid; echo
PID TTY STAT TIME COMMAND
3544 pts/2 Ss 0:00 bash
3582 pts/2 R+ 0:00 \_ ps f
user1@mysystem:~$ cat /proc/3544/
4294967295
Everything behaves correctly on tty1 or after sudo login + login as user1 on the terminal.