Bug 1851408

Summary: pam: pam_setquota.so vulnerability facilitated through fusermount setuid-root program
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: besser82, dapospis, dblechte, dfediuck, eedri, ipedrosa, mgoldboi, michal.skrivanek, pbrezina, sbonazzo, sherold, tmraz, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-29 05:23:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1851409    
Bug Blocks: 1850559    

Description Michael Kaplan 2020-06-26 13:01:52 UTC 
The pam_setquota module iterates over all mounted file systems using
`setmntent()` and `getmntent()`. It tries to find the longest match of a
file system mounted on /home/$USER or above (except when the explicit
fs=/some/path parameter is passed to the pam module).

The home directory /home/$USER is owned by the unprivileged user,
however. There exist tools like `fusermount` from libfuse which is by
default installed setuid-root for everybody. `fusermount` allows
unprivileged users to mount a FUSE file system using an arbitrary
source device name.
Comment 1 Michael Kaplan 2020-06-26 13:02:20 UTC 
Created pam tracking bugs for this issue:

Affects: fedora-all [bug 1851409]
Comment 2 Michael Kaplan 2020-06-26 13:04:39 UTC 
Reference:

https://www.openwall.com/lists/oss-security/2020/06/04/5
https://bugzilla.suse.com/show_bug.cgi?id=1171721

Upstream Fix:

https://github.com/linux-pam/linux-pam/commit/27ded8954a1235bb65ffc9c730ae5a50b1dfed61
Comment 3 Iker Pedrosa 2020-06-26 14:04:51 UTC 
I'm not completely sure if I should post this information in this bugzilla or in https://bugzilla.redhat.com/show_bug.cgi?id=1851409, but as I have seen more people included in this one I have decided to do it here.

Fedora 32 and below versions don't include pam_setquota.so module, so this vulnerability doesn't affect those versions. Besides, when I included pam_setquota module in Fedora rawhide, 33 and above, I did so by rebasing to release 1.4.0. This release already includes the upstream fix indicated by Michael. Thus, in my opinion, this bugzilla can be closed as not a bug.
Comment 4 Huzaifa S. Sidhpurwala 2020-06-29 05:23:51 UTC 
Statement:

pam_setquota module is not included in pam packages shipped with Red Hat Enterprise products.
Comment 5 Huzaifa S. Sidhpurwala 2020-06-29 05:23:55 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/06/04/5
https://github.com/linux-pam/linux-pam/commit/27ded8954a1235bb65ffc9c730ae5a50b1dfed61