snapd gives all users access to system logs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
Undecided
|
John Lenton | ||
snapd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Unassigned | ||
Artful |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Using the /v2/logs REST API call any user can access system logs, i.e.:
$ journalctl
Hint: You are currently not seeing messages from other users and the system.
Users in the 'systemd-journal' group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.
$ curl -s --unix-socket /run/snapd.socket http://
{
"timestamp": "2017-11-
"message": "pam_unix(
"sid": "pkexec",
"pid": "29512"
}
This was introduced in (snapd 2.27):
commit 85331c16dd76eb1
Author: John Lenton <email address hidden>
Date: Thu Aug 3 17:09:34 2017 +0100
many: implement "snap logs" (#3630)
* many: implement "snap logs"
* cmd/snap: drop ineffectual assignment (ouch)
* systemd: drop unused methods from Log; add tests for Log.Time
* many: address review feedback (mostly "d’oh"; thanks zyga!)
* address review feedback (thanks pedronis)
CVE References
Changed in snapd: | |
status: | Triaged → In Progress |
Changed in snapd: | |
status: | In Progress → Fix Committed |
Thanks for the report!
John, can you take a look at this? I think you need to lookup the user/group from the cred on the socket and verify the user has the permissions to view the logs.
I've tentatively assigned this to John, but please feel free to reassign. I think this needs a CVE. Please don't discuss in public or make public commits until the security team comments further on this bug.