user session support allows non-priv users to gain root privileges
Bug #766206 reported by
James Hunt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
upstart (Ubuntu) |
Fix Released
|
Critical
|
James Hunt | ||
Natty |
Fix Released
|
Critical
|
James Hunt |
Bug Description
Binary package hint: upstart
Upstart 0.9.4-1ubuntu1 contains user session code. For natty, user sessions are disabled. However, should a user/admin re-enable user session support (by pulling the Upstart.conf dbus config file from upstream Upstart), starting a user job would allow root escalation since all user session jobs run as root.
The following branch includes a fix for this issue:
Related branches
lp:~jamesodhunt/ubuntu/natty/upstart/fix-chroot-sessions
- Clint Byrum (community): Approve
-
Diff: 4753 lines (+842/-700)38 files modifiedChangeLog (+62/-0)
NEWS (+21/-0)
configure.ac (+1/-1)
debian/changelog (+28/-0)
debian/upstart-job (+14/-4)
init/Makefile.am (+4/-2)
init/conf.c (+18/-12)
init/conf.h (+1/-1)
init/control.c (+5/-1)
init/job.c (+8/-2)
init/job_class.c (+34/-14)
init/job_process.c (+59/-0)
init/job_process.h (+3/-1)
init/main.c (+8/-0)
init/man/init.5 (+0/-38)
init/man/init.8 (+11/-7)
init/parse_job.c (+2/-2)
init/session.c (+21/-8)
init/session.h (+27/-2)
init/tests/test_blocked.c (+4/-6)
init/tests/test_conf.c (+15/-22)
init/tests/test_control.c (+11/-12)
init/tests/test_environ.c (+3/-0)
init/tests/test_event.c (+28/-40)
init/tests/test_event_operator.c (+3/-0)
init/tests/test_job.c (+70/-148)
init/tests/test_job_class.c (+54/-145)
init/tests/test_job_process.c (+34/-59)
init/tests/test_parse_conf.c (+3/-0)
init/tests/test_parse_job.c (+3/-0)
init/tests/test_process.c (+3/-0)
init/tests/test_system.c (+3/-0)
po/upstart.pot (+152/-136)
scripts/init-checkconf.sh (+34/-10)
scripts/man/init-checkconf.8 (+22/-10)
util/initctl.c (+16/-5)
util/man/initctl.8 (+3/-1)
util/tests/test_initctl.c (+54/-11)
Changed in upstart (Ubuntu Natty): | |
importance: | Undecided → Critical |
assignee: | nobody → James Hunt (jamesodhunt) |
status: | New → Fix Committed |
milestone: | none → ubuntu-11.04 |
tags: | added: server-nro |
To post a comment you must log in.
I noted that the new version does this:
+ if (uid && setuid (uid) < 0) { raise_system (); error_abort (fds[1], JOB_PROCESS_ ERROR_SETUID, 0); raise_system (); error_abort (fds[1], JOB_PROCESS_ ERROR_SETGID, 0);
+ nih_error_
+ job_process_
+ }
+
+ if (pw->pw_gid && setgid (pw->pw_gid) < 0) {
+ nih_error_
+ job_process_
+ }
Does that actually work that way around? After setuid() you usually lose the privilege of changing between arbitrary groups (CAP_SETGID). I suppose it actually works if you switch to the user's primary group, but I've seen it to fail in the past in daemons changing to a system user. The usual approach is to change the group first, then the user. But the result here would be an abort of the job, which is safe, so I don't object to the change with my release hat on because of this.