Bug 1378893
| Summary: | CVE-2018-1113 setup: nologin listed in /etc/shells violates security expectations [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jakub Svoboda <jsvoboda> |
| Component: | setup | Assignee: | Ondrej Vasik <ovasik> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 27 | CC: | dmoppert, jorti, mpitt, security-response-team, shiva, toby |
| Target Milestone: | --- | Keywords: | Reopened, Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | setup-2.11.4-1.fc28 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-27 04:03:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1571094 | ||
Hi Jakub, not the first bug report like this. See e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1277219 ... as I suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1277219#c1 - /sbin/nologin was added as request by https://bugzilla.redhat.com/show_bug.cgi?id=53963 . Feel free to discuss potential risk caused by this /etc/shells entry on fedora devel list and add a pointer to the mail thread into this bugzilla. I agree this behaviour is suboptimal and it should be really clarified if there is some reason for "fixing" #53963 this way or not. Hi Ondrej, thank you for providing reference to the other bug reports. Sorry for not finding them outright. I posted to the fedora devel list to discuss the issue - https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/ Whole thread: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/#UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ Made the report public since this issue is publicly known for a long time. Based on the discussion on the mailing list, I don't see any reason to keep it in /etc/shells in Rawhide - so I tend to remove it in next Rawhide build. This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'. This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. Can this be done now? This keeps being a security vulnerability. E. g. a user with a nologin shell can log into Cockpit and do stuff there. Ok, built in f28 and master... setup-2.11.4-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f47268acd5 Thank you Ondrej! setup-2.11.4-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f47268acd5 *** Bug 1571103 has been marked as a duplicate of this bug. *** setup-2.11.4-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. This change is in RHEL 7.6 and elicited bug 1647485 affecting vsftpd (ie. release change notes didn't warn of the effect on FTP users). |
Description of problem: nologin listed in /etc/shells violates security expectations of su, nologin, as well as of /etc/shells. /etc/shells should list only non-restricted shells. Version-Release number of selected component (if applicable): 2.10.4-1.fc25 How reproducible: always Steps to Reproduce: 1. set up a user with /sbin/nologin as default shell 2. su -s /usr/bin/bash - user 3. login Actual results: * logged in as the user with the specified non-restricted shell. * /etc/shells contains nologin. Expected results: * su prohibits the command line-specified shell from being used because the default shell is restricted. * /etc/shells doesn't contain nologin. Additional info: # showing the bug ############################### [jsvoboda@localhost ~]$ whoami jsvoboda [jsvoboda@localhost ~]$ cat /etc/shells /bin/sh /bin/bash /sbin/nologin /usr/bin/sh /usr/bin/bash /usr/sbin/nologin [jsvoboda@localhost ~]$ man shells | grep DESCR -A3 DESCRIPTION /etc/shells is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh(1) and available to be queried by other programs. [jsvoboda@localhost ~]$ sudo dnf distro-sync --refresh Dependencies resolved. Nothing to do. Complete! [jsvoboda@localhost ~]$ date Fri Sep 23 12:24:02 CEST 2016 [jsvoboda@localhost ~]$ uname -a Linux localhost 4.8.0-0.rc7.git2.1.fc26.x86_64 #1 SMP Wed Sep 21 21:48:23 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [jsvoboda@localhost ~]$ cat /etc/os-release NAME=Fedora VERSION="26 (Rawhide)" ID=fedora VERSION_ID=26 PRETTY_NAME="Fedora 26 (Rawhide)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:26" HOME_URL="https://fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=rawhide PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy [jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is in /etc/shells testuser:x:1001:1001::/home/testuser:/bin/bash [jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # can specify a different shell (correct behavior) Password: [testuser@localhost ~]$ whoami testuser [testuser@localhost ~]$ exit logout [jsvoboda@localhost ~]$ whoami jsvoboda [jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser # can specify a different shell Password: [jsvoboda@localhost ~]$ # mc did run [jsvoboda@localhost ~]$ sudo vi /etc/passwd [jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is not in /etc/shells, doesn't exist testuser:x:1001:1001::/home/testuser:/bin/nonexisting [jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # cannot log in (correct behavior) Password: su: using restricted shell /bin/nonexisting su: failed to execute /bin/nonexisting: No such file or directory [jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser # cannot log in (correct behavior) Password: su: using restricted shell /bin/nonexisting su: failed to execute /bin/nonexisting: No such file or directory [jsvoboda@localhost ~]$ which -a false /usr/bin/false /bin/false [jsvoboda@localhost ~]$ sudo vi /etc/passwd [jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is not in /etc/shells, does exist testuser:x:1001:1001::/home/testuser:/bin/false [jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # cannot log in (correct behavior) Password: su: using restricted shell /bin/false [jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser Password: su: using restricted shell /bin/false [jsvoboda@localhost ~]$ man nologin | grep DESCR -A3 DESCRIPTION nologin displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field to deny login access to an account. [jsvoboda@localhost ~]$ which -a nologin /usr/sbin/nologin [jsvoboda@localhost ~]$ sudo vi /etc/passwd [jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is not in /etc/shells, doesn't exist (bad path on purpose) testuser:x:1001:1001::/home/testuser:/bin/nologin [jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # cannot log in (correct behavior) Password: su: using restricted shell /bin/nologin su: failed to execute /bin/nologin: No such file or directory [jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser # cannot log in (correct behavior) Password: su: using restricted shell /bin/nologin su: failed to execute /bin/nologin: No such file or directory [jsvoboda@localhost ~]$ sudo vi /etc/passwd [jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is in /etc/shells (BUG!), does exist testuser:x:1001:1001::/home/testuser:/sbin/nologin [jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # can log in and specify an unrestricted shell (BUG - wrong assumption in su or wrong entry in /etc/shells) Password: [testuser@localhost ~]$ whoami testuser [testuser@localhost ~]$ exit logout [jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser # can log in and specify an unrestricted shell (BUG - wrong assumption in su or wrong entry in /etc/shells) Password: [jsvoboda@localhost ~]$ # mc did run # finding which package is at fault ################################### [root@localhost jsvoboda]# dnf provides /sbin/nologin Last metadata expiration check: 0:32:20 ago on Fri Sep 23 12:24:00 2016. util-linux-2.28.2-1.fc26.x86_64 : A collection of basic system utilities Repo : @System util-linux-2.28.2-1.fc26.i686 : A collection of basic system utilities Repo : rawhide util-linux-2.28.2-1.fc26.x86_64 : A collection of basic system utilities Repo : rawhide [root@localhost jsvoboda]# rpm -qa | grep util-linux util-linux-2.28.2-1.fc26.x86_64 [root@localhost jsvoboda]# rpm -e --nodeps util-linux-2.28.2-1.fc26.x86_64 [root@localhost jsvoboda]# cat /etc/shells /bin/sh /bin/bash /sbin/nologin /usr/bin/sh /usr/bin/bash /usr/sbin/nologin [root@localhost jsvoboda]# dnf provides /etc/shells Last metadata expiration check: 0:33:01 ago on Fri Sep 23 12:24:00 2016. setup-2.10.4-1.fc25.noarch : A set of system configuration and setup files Repo : @System setup-2.10.4-1.fc25.noarch : A set of system configuration and setup files Repo : rawhide [root@localhost jsvoboda]# rpm -qa | grep setup setup-2.10.4-1.fc25.noarch setuptool-1.19.11-11.fc24.x86_64 python3-setuptools-27.1.2-1.fc26.noarch initial-setup-0.3.43-1.fc26.x86_64 cryptsetup-libs-1.7.2-3.fc25.x86_64 cryptsetup-1.7.2-3.fc25.x86_64 python2-setuptools-27.1.2-1.fc26.noarch initial-setup-gui-0.3.43-1.fc26.x86_64 ibus-setup-1.5.14-2.fc26.noarch [root@localhost jsvoboda]# rpm -e --nodeps setup-2.10.4-1.fc25.noarch [root@localhost jsvoboda]# cat /etc/shells cat: /etc/shells: No such file or directory [root@localhost jsvoboda]# dnf install setup # install just setup without util-linux to see whether /sbin/nologin is added by setup or by util-linux Last metadata expiration check: 0:34:09 ago on Fri Sep 23 12:24:00 2016. Dependencies resolved. ============================================================================================================================== Package Arch Version Repository Size ============================================================================================================================== Installing: setup noarch 2.10.4-1.fc25 rawhide 174 k Transaction Summary ============================================================================================================================== Install 1 Package Total size: 174 k Installed size: 698 k Is this ok [y/N]: y Downloading Packages: [SKIPPED] setup-2.10.4-1.fc25.noarch.rpm: Already downloaded Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : setup-2.10.4-1.fc25.noarch 1/1 Verifying : setup-2.10.4-1.fc25.noarch 1/1 Installed: setup.noarch 2.10.4-1.fc25 Complete! [root@localhost jsvoboda]# cat /etc/shells # yes, the setup pkg is at fault /bin/sh /bin/bash /sbin/nologin /usr/bin/sh /usr/bin/bash /usr/sbin/nologin