user session support allows non-priv users to gain root privileges

Bug #766206 reported by James Hunt on 2011-04-19
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
upstart (Ubuntu)
Critical
James Hunt
Natty
Critical
James Hunt

Bug Description

Binary package hint: upstart

Upstart 0.9.4-1ubuntu1 contains user session code. For natty, user sessions are disabled. However, should a user/admin re-enable user session support (by pulling the Upstart.conf dbus config file from upstream Upstart), starting a user job would allow root escalation since all user session jobs run as root.

The following branch includes a fix for this issue:

  lp:~jamesodhunt/ubuntu/natty/upstart/fix-chroot-sessions

Related branches

Changed in upstart (Ubuntu Natty):
importance: Undecided → Critical
assignee: nobody → James Hunt (jamesodhunt)
status: New → Fix Committed
milestone: none → ubuntu-11.04
Dave Walker (davewalker) on 2011-04-19
tags: added: server-nro
Martin Pitt (pitti) wrote :

I noted that the new version does this:

+ if (uid && setuid (uid) < 0) {
+ nih_error_raise_system ();
+ job_process_error_abort (fds[1], JOB_PROCESS_ERROR_SETUID, 0);
+ }
+
+ if (pw->pw_gid && setgid (pw->pw_gid) < 0) {
+ nih_error_raise_system ();
+ job_process_error_abort (fds[1], JOB_PROCESS_ERROR_SETGID, 0);
+ }

Does that actually work that way around? After setuid() you usually lose the privilege of changing between arbitrary groups (CAP_SETGID). I suppose it actually works if you switch to the user's primary group, but I've seen it to fail in the past in daemons changing to a system user. The usual approach is to change the group first, then the user. But the result here would be an abort of the job, which is safe, so I don't object to the change with my release hat on because of this.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package upstart - 0.9.6-1ubuntu1

---------------
upstart (0.9.6-1ubuntu1) natty; urgency=low

  [ James Hunt ]
  * init/man/init.5: Remove mention of user jobs since facility is
  disabled.

  [ Clint Byrum ]
  * Noting bugs fixed by 0.9.6 release of upstart: (LP: #728531 , LP: #766206)
 -- Clint Byrum <email address hidden> Tue, 19 Apr 2011 13:16:46 -0700

Changed in upstart (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers