Comment 0 for bug 1784964
Revision history for this message
| TJ (tj) wrote Regression due to CVE-2018-1116 (processes not inheriting user ID or groups ) | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1.
On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do:
tail -f /var/log/syslog
when that file is owned by syslog:adm and is g=r.
I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly.
The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash"
After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1.
I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map.
4294967295 == -1 == 0xFFFFFFFF
The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far.