Bug 1528439

Summary: unbound: Privilege escalation via writable config file
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pemensik, pj.pandit, pwouters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-22 02:57:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1528445    
Bug Blocks: 1528446    

Description Pedro Sampaio 2017-12-21 20:22:45 UTC
As reported:

The ebuilds for net-dns/unbound create the "unbound" user with its home directory set to /etc/unbound:

  pkg_setup() {
    enewgroup unbound
    enewuser unbound -1 -1 /etc/unbound unbound

    use python && python-single-r1_pkg_setup

As a result, /etc/unbound is writable by the "unbound" user. However, that's where the sensitive unbound.conf gets installed (as root:root):

  $ /bin/ls -al /etc/unbound/
  total 44
  drwxr-xr-x  2 unbound root  4096 Dec 14 13:59 .
  drwxr-xr-x 79 root    root  4096 Dec 14 13:59 ..
  -rw-r--r--  1 root    root 34276 Dec 14 13:59 unbound.conf

That conf file must only be writable by root; at least...

  * the OpenRC service script uses the value of "pidfile" found
    in unbound.conf, so anyone who can edit that file can clobber
    things on the fileystem.

  * the daemon binds to its interface and port as root, so the
    "unbound" user could bind to e.g. port 80.

  * From daemon/unbound.c and daemon/remote.c, it looks like unbound
    will call "chown" on its pidfile/socket respectively, meaning that
    if the "unbound" user can alter the pidfile or local socket location,
    then he can take control of any file the next time the daemon is
    started. (I haven't tested this one, because the first two are bad



Comment 1 Pedro Sampaio 2017-12-21 20:53:05 UTC
Created unbound tracking bugs for this issue:

Affects: fedora-all [bug 1528445]

Comment 2 Doran Moppert 2017-12-22 02:49:46 UTC
The description sounds specific to Gentoo's packaging of unbound, and indeed Fedora + RHEL's configuration does not have this issue:

    # cd /etc/unbound
    # ls -laZ
    drwxr-xr-x.   5 root root    system_u:object_r:named_conf_t:s0  4096 Dec 22 12:53 .
    drwxr-xr-x. 175 root root    system_u:object_r:etc_t:s0        12288 Dec 22 09:41 ..
    drwxr-xr-x.   2 root unbound system_u:object_r:named_conf_t:s0  4096 Dec 22 12:53 conf.d
    -rw-r--r--.   1 root root    system_u:object_r:named_conf_t:s0 13026 Dec  2 02:33 icannbundle.pem
    drwxr-xr-x.   2 root unbound system_u:object_r:named_conf_t:s0  4096 Dec 22 12:53 keys.d
    drwxr-xr-x.   2 root unbound system_u:object_r:named_conf_t:s0  4096 Dec 22 12:53 local.d
    -rw-r--r--.   1 root root    system_u:object_r:dnssec_t:s0       939 Dec  2 02:44 root.key
    -rw-r--r--.   1 root root    system_u:object_r:named_conf_t:s0 35901 Dec  2 02:33 unbound.conf


    # ls -lZ conf.d/* local.d/*
    -rw-rw-r--. root unbound system_u:object_r:named_conf_t:s0 conf.d/example.com.conf
    -rw-rw-r--. root unbound system_u:object_r:named_conf_t:s0 local.d/block-example.com.conf

Default /etc/unbound/unbound.conf includes conf.d/*.conf and local.d/*.conf, including these default (empty except comments) files.

SELinux prevents unbound (named_t) from writing these files *even prior to dropping privs*, but with SELinux disabled it is possible that a compromise of unbound could use these writable files to clobber other filesystem objects, possibly privesc.

I think removing g+w permissions from these files should be considered to add a layer of protection for non-SELinux environments, but it is not an urgent fix since SELinux effectively mitigates and unbound has a strong security track record.