Missing input sanitation in upstart logrotation cronjob
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | upstart (Ubuntu) |
High
|
James Hunt | ||
Bug Description
Ubuntu Vivid 1504 (development branch) installs an insecure upstart logrotation script which will read user-supplied data from /run/user/
Problematic part of /etc/cron.
for session in /run/user/
do
env $(cat $session) /sbin/initctl emit rotate-logs >/dev/null 2>&1 || true
done
On a system with e.g. libpam-systemd installed, standard login on TTY or via SSH will create the directory /run/user/[uid] writable to the user. By preparing a suitable session file, user supplied code will be run during the daily cron-jobs.
See [1] for more information.
# lsb_release -rd
Description: Ubuntu Vivid Vervet (development branch)
Release: 15.04
# apt-cache policy upstart-bin
upstart-bin:
Installed: 1.13.2-0ubuntu7
Candidate: 1.13.2-0ubuntu7
Version table:
*** 1.13.2-0ubuntu7 0
500 http://
100 /var/lib/
[1] http://
Related branches
- Colin Watson: Approve on 2015-02-26
- Dimitri John Ledkov: Pending requested 2015-02-26
-
Diff: 37 lines (+18/-2)2 files modifieddebian/changelog (+8/-0)
debian/upstart-bin.upstart.cron.daily (+10/-2)
| information type: | Private Security → Public Security |
| James Hunt (jamesodhunt) wrote : | #1 |
| Changed in upstart (Ubuntu): | |
| assignee: | nobody → James Hunt (jamesodhunt) |
| importance: | Undecided → High |
| Changed in upstart (Ubuntu): | |
| status: | New → Fix Committed |
| James Hunt (jamesodhunt) wrote : | #2 |
Fixed in upstart 1.13.2-0ubuntu9, currently in the proposed pocket.
| Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package upstart - 1.13.2-0ubuntu9
---------------
upstart (1.13.2-0ubuntu9) vivid; urgency=medium
* debian/
of the session file itself to stop a user forcing the logrotation of
another users logs.
-- James Hunt <email address hidden> Thu, 26 Feb 2015 14:35:41 +0000
| Changed in upstart (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Jann Horn (jann-e) wrote : | #4 |
I'm not sure whether this is the right place to write this, but those permission checks look really racy - both the file type test and the file owner UID check.
(Besides, I think that an attacker should be able to hardlink a file created by another user into his directory, which would also lead to a bypass of the UID equality check, but I'm not familiar enough with ubuntu to be able to say whether that attack is actually feasible.)
| Seth Arnold (seth-arnold) wrote : | #5 |
Jann, thanks for the comment; I believe the checks aren't strictly necessary; the grep command used to extract one specific variable with the given legal values is the more important part of this patch.
That said, /run/user is a filesystem in its own right, so cross-mount hardlinks aren't possible, and at least on my system, all the directories are mode 700, so hardlinking to another user's file on the filesystem will be difficult.
Have you thought of anything else in the meantime? Thanks
Note - this problem only affects vivid fwics. Further, it does not affect Touch (since that uses Upstart as PID 1).