Bug 581884
Summary: | latent privilege escalation via /var/lock group write permission | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Wietse Venema <wietse> |
Component: | lockdev | Assignee: | Jiri Popelka <jpopelka> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | jpopelka, ovasik |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | lockdev-1.0.3-5.fc14 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-04-19 16:29:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Wietse Venema
2010-04-13 13:41:23 UTC
Thanks for report. Adding lockdev maintainer to cc to know his opinion about the change to 755 ... I think you have other possibilities - like lowering capabilities for lockdev setgid binary, some SELinux rules for /sbin/lockdev . Basic unix file rights are not perfect anyway (as they do depend on UID/GID numbers, which may differ on various systems). I'll investigate it a bit more ... (In reply to comment #0) > Possible solutions > ------------------ > a) Do not make /var/lock group-writable. This is the configuration > of, for example, Ubuntu 9.10, It appears to break no functionality, > and is the simplest solution. Hi, /usr/sbin/lockdev is a set-gid binary that creates lock files for e.g. ttyS0 in /var/lock so regular users don't need write access there. AFAIK Debian/Ubuntu do not ship this set-gid binary like Fedora. Liblockdev1 package in Debian/Ubuntu ships only the shared library. I looked into Debian testing / Ubuntu 10.04 and /var/lock is group-writable there: drwxrwxrwt 2 root root 4096 2010-04-15 07:47 /var/lock I'm sorry, but I still don't understand how the set-gid lockdev could create lock files in /var/lock when we make /var/lock not group-writable. I'll be thinking about some lowering capabilities for lockdev. Thanks, Jiri ... I think it should be kept group writable. Lowering capabilities in lockdev seems to be good compromise for me. Reassigning to lockdev, I'm not going to reduce permissions on /var/lock in filesystem package. If you still think that it is better way to lower the permissions on /var/lock, feel free to propose it on devel.org list to know opinion of wider audience. [Wietse Venema here - sorry my name did not show up in the bugzilla signup procedure] The real problem is that /etc/init.d/* scripts create/remove files as root under a directory that is under control by an unpriviliged user (in this case a group). There are two types of fixes: "type 1" fixes that address the underlying problem, and "type 2" fixes that address specific symptoms. A clean "type 1" fix is to change the lockdev program so that it creates application locks in a new directory /var/lock/lockdev. Then, /var/lock can be made writable only by root. This eliminates not only the problem that init.d scripts create/delete files under a directory that is group writable, but it also eliminates any problem with creating or removing files as root under the other /var/lock/* directories. A simple "mixed type 1 and 2" fix is to make /var/lock sticky and to rely on the system to create /var/lock/subsys etc. at boot or install time. Then, no-one except root can replace /var/lock/subsys etc. by a symlink, and cause /etc/init.d/* to blow away files as documented in the initial bug report. This fix is more fragile due to the use of special directory permissions. An example of the "symptom only fix" is to complicate the lockdev program with extra configuration for capabilities, selinux, etc. That seems even more fragile than setting the sticky bit. In case this is not 100% clear: with
> A simple (part symptom, part fundamental) fix is to make /var/lock sticky
> and to rely on the system to create /var/lock/subsys etc. at boot or
> install time.
I mean ADD the sticky bit, KEEP the root and group write permission, i.e. drwxrwxr-t root lock /var/lock
Making /var/lock 1775 was already proposed and was rejected CANTFIX - see https://bugzilla.redhat.com/show_bug.cgi?id=145264 - and e.g. http://marc.info/?l=linux-security-audit&m=96441626707601&w=2 which problems might be caused by sticky bit. And what are your thoughts about the better fix: having lockdev create locks under its own directory? drwxr-wr-x root root /var/lock <<<<=== No group write permission drwxr-xr-x root root /var/lock/dmraid ... drwxrwxr-x root lock /var/lock/lockdev <<<=== Group write permission here drwxr-xr-x root root /var/lock/subsys Now, the subsys directory is "safe" and my privilege esclation exploit no longer works. This also addresses any problems with creating/deleting files as root under the /var/lock/drmraid etc. directories or any directories that might be added in the future. With this, the lockdev program no longer has write permission on the parent of /var/lock/subsys, /var/lock/dmraid, and so on. Filesystem Hierarchy Standard http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLOCKLOCKFILES doesn't say, that lock files have to be stored directly in /var/lock, but "Lock files should be stored within the /var/lock directory structure." so drwxr-xr-x root root /var/lock <<<<=== No group write permission drwxrwxr-x root lock /var/lock/lockdev <<<=== Group write permission here looks like a solution to me. Lockdev now (lockdev-1.0.3-5.fc14) creates it's own drwxrwxr-x root lock /var/lock/lockdev directory during installation. Lock files are placed into this directory, so /var/lock doesn't need to be group-writable anymore. Built as filesystem-2.4.35-1.fc14 ... permissions on /var/lock are now 755:root:root I agree that this solution solves the problem at its root cause. Now, can someone undo the change that was made to the subject of this report? The idea to solve the problem by playing with capabilities is a mistake, as it addresses a symptom (lockdev can do nasty stuff to root) and not the cause (lockdev should not have write permission to a path that is used by root). |