Bug 1378893 - CVE-2018-1113 setup: nologin listed in /etc/shells violates security expectations [fedora-all]
Summary: CVE-2018-1113 setup: nologin listed in /etc/shells violates security expectat...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: setup
Version: 27
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Ondrej Vasik
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1571103 (view as bug list)
Depends On:
Blocks: CVE-2018-1113
TreeView+ depends on / blocked
 
Reported: 2016-09-23 13:16 UTC by Jakub Svoboda
Modified: 2019-01-10 21:54 UTC (History)
6 users (show)

Fixed In Version: setup-2.11.4-1.fc28
Clone Of:
Environment:
Last Closed: 2018-04-27 04:03:58 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1596469 0 unspecified CLOSED vsftpd logins fail if uid < 1000 after FC28 upgrade 2021-02-22 00:41:40 UTC

Internal Links: 1596469

Description Jakub Svoboda 2016-09-23 13:16:44 UTC 
Description of problem:

nologin listed in /etc/shells violates security expectations of su, nologin, as well as of /etc/shells. /etc/shells should list only non-restricted shells.

Version-Release number of selected component (if applicable):

2.10.4-1.fc25

How reproducible:

always

Steps to Reproduce:
1. set up a user with /sbin/nologin as default shell
2. su -s /usr/bin/bash - user
3. login

Actual results:

* logged in as the user with the specified non-restricted shell.
* /etc/shells contains nologin.

Expected results:

* su prohibits the command line-specified shell from being used because the default shell is restricted.
* /etc/shells doesn't contain nologin.

Additional info:


# showing the bug
###############################

[jsvoboda@localhost ~]$ whoami
jsvoboda
[jsvoboda@localhost ~]$ cat /etc/shells 
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
[jsvoboda@localhost ~]$ man shells | grep DESCR -A3
DESCRIPTION
       /etc/shells  is  a text file which contains the full pathnames of valid
       login shells.  This file is consulted by chsh(1) and  available  to  be
       queried by other programs.
[jsvoboda@localhost ~]$ sudo dnf distro-sync --refresh
Dependencies resolved.
Nothing to do.
Complete!
[jsvoboda@localhost ~]$ date
Fri Sep 23 12:24:02 CEST 2016
[jsvoboda@localhost ~]$ uname -a
Linux localhost 4.8.0-0.rc7.git2.1.fc26.x86_64 #1 SMP Wed Sep 21 21:48:23 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[jsvoboda@localhost ~]$ cat /etc/os-release 
NAME=Fedora
VERSION="26 (Rawhide)"
ID=fedora
VERSION_ID=26
PRETTY_NAME="Fedora 26 (Rawhide)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:26"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=rawhide
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
[jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is in /etc/shells
testuser:x:1001:1001::/home/testuser:/bin/bash
[jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # can specify a different shell (correct behavior)
Password: 
[testuser@localhost ~]$ whoami
testuser
[testuser@localhost ~]$ exit
logout
[jsvoboda@localhost ~]$ whoami
jsvoboda
[jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser # can specify a different shell
Password: 

[jsvoboda@localhost ~]$ # mc did run
[jsvoboda@localhost ~]$ sudo vi /etc/passwd
[jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is not in /etc/shells, doesn't exist
testuser:x:1001:1001::/home/testuser:/bin/nonexisting
[jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # cannot log in (correct behavior)
Password: 
su: using restricted shell /bin/nonexisting
su: failed to execute /bin/nonexisting: No such file or directory
[jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser # cannot log in (correct behavior)
Password: 
su: using restricted shell /bin/nonexisting
su: failed to execute /bin/nonexisting: No such file or directory
[jsvoboda@localhost ~]$ which -a false
/usr/bin/false
/bin/false
[jsvoboda@localhost ~]$ sudo vi /etc/passwd
[jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is not in /etc/shells, does exist
testuser:x:1001:1001::/home/testuser:/bin/false
[jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # cannot log in (correct behavior)
Password: 
su: using restricted shell /bin/false
[jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser
Password: 
su: using restricted shell /bin/false
[jsvoboda@localhost ~]$ man nologin | grep DESCR -A3
DESCRIPTION
       nologin  displays  a message that an account is not available and exits
       non-zero.  It is intended as a replacement shell field  to  deny  login
       access to an account.
[jsvoboda@localhost ~]$ which -a nologin
/usr/sbin/nologin
[jsvoboda@localhost ~]$ sudo vi /etc/passwd
[jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is not in /etc/shells, doesn't exist (bad path on purpose)
testuser:x:1001:1001::/home/testuser:/bin/nologin
[jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # cannot log in (correct behavior)
Password: 
su: using restricted shell /bin/nologin
su: failed to execute /bin/nologin: No such file or directory
[jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser # cannot log in (correct behavior)
Password: 
su: using restricted shell /bin/nologin
su: failed to execute /bin/nologin: No such file or directory
[jsvoboda@localhost ~]$ sudo vi /etc/passwd
[jsvoboda@localhost ~]$ cat /etc/passwd | grep testuser # shell is in /etc/shells (BUG!), does exist
testuser:x:1001:1001::/home/testuser:/sbin/nologin
[jsvoboda@localhost ~]$ su -s /usr/bin/bash - testuser # can log in and specify an unrestricted shell (BUG - wrong assumption in su or wrong entry in /etc/shells)
Password: 
[testuser@localhost ~]$ whoami
testuser
[testuser@localhost ~]$ exit
logout
[jsvoboda@localhost ~]$ su -s /usr/bin/mc - testuser # can log in and specify an unrestricted shell (BUG - wrong assumption in su or wrong entry in /etc/shells)
Password: 

[jsvoboda@localhost ~]$ # mc did run



# finding which package is at fault
###################################

[root@localhost jsvoboda]# dnf provides /sbin/nologin
Last metadata expiration check: 0:32:20 ago on Fri Sep 23 12:24:00 2016.
util-linux-2.28.2-1.fc26.x86_64 : A collection of basic system utilities
Repo        : @System

util-linux-2.28.2-1.fc26.i686 : A collection of basic system utilities
Repo        : rawhide

util-linux-2.28.2-1.fc26.x86_64 : A collection of basic system utilities
Repo        : rawhide

[root@localhost jsvoboda]# rpm -qa | grep util-linux
util-linux-2.28.2-1.fc26.x86_64
[root@localhost jsvoboda]# rpm -e --nodeps util-linux-2.28.2-1.fc26.x86_64
[root@localhost jsvoboda]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
[root@localhost jsvoboda]# dnf provides /etc/shells
Last metadata expiration check: 0:33:01 ago on Fri Sep 23 12:24:00 2016.
setup-2.10.4-1.fc25.noarch : A set of system configuration and setup files
Repo        : @System

setup-2.10.4-1.fc25.noarch : A set of system configuration and setup files
Repo        : rawhide

[root@localhost jsvoboda]# rpm -qa | grep setup
setup-2.10.4-1.fc25.noarch
setuptool-1.19.11-11.fc24.x86_64
python3-setuptools-27.1.2-1.fc26.noarch
initial-setup-0.3.43-1.fc26.x86_64
cryptsetup-libs-1.7.2-3.fc25.x86_64
cryptsetup-1.7.2-3.fc25.x86_64
python2-setuptools-27.1.2-1.fc26.noarch
initial-setup-gui-0.3.43-1.fc26.x86_64
ibus-setup-1.5.14-2.fc26.noarch
[root@localhost jsvoboda]# rpm -e --nodeps setup-2.10.4-1.fc25.noarch
[root@localhost jsvoboda]# cat /etc/shells
cat: /etc/shells: No such file or directory
[root@localhost jsvoboda]# dnf install setup # install just setup without util-linux to see whether /sbin/nologin is added by setup or by util-linux
Last metadata expiration check: 0:34:09 ago on Fri Sep 23 12:24:00 2016.
Dependencies resolved.
==============================================================================================================================
 Package                    Arch                        Version                            Repository                    Size
==============================================================================================================================
Installing:
 setup                      noarch                      2.10.4-1.fc25                      rawhide                      174 k

Transaction Summary
==============================================================================================================================
Install  1 Package

Total size: 174 k
Installed size: 698 k
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] setup-2.10.4-1.fc25.noarch.rpm: Already downloaded                                                                 
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : setup-2.10.4-1.fc25.noarch                                                                                1/1 
  Verifying   : setup-2.10.4-1.fc25.noarch                                                                                1/1 

Installed:
  setup.noarch 2.10.4-1.fc25                                                                                                  

Complete!
[root@localhost jsvoboda]# cat /etc/shells  # yes, the setup pkg is at fault
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
Comment 1 Ondrej Vasik 2016-09-26 05:53:30 UTC 
Hi Jakub,
not the first bug report like this.
See e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1277219 ... as I suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1277219#c1 - /sbin/nologin was added as request by https://bugzilla.redhat.com/show_bug.cgi?id=53963 . Feel free to discuss potential risk caused by this /etc/shells entry on fedora devel list and add a pointer to the mail thread into this bugzilla.

I agree this behaviour is suboptimal and it should be really clarified if there is some reason for "fixing" #53963 this way or not.
Comment 2 Jakub Svoboda 2016-09-26 15:42:12 UTC 
Hi Ondrej,

thank you for providing reference to the other bug reports. Sorry for not finding them outright.

I posted to the fedora devel list to discuss the issue - https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/

Whole thread: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/#UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ
Comment 3 Jakub Svoboda 2016-09-26 15:46:38 UTC 
Made the report public since this issue is publicly known for a long time.
Comment 4 Ondrej Vasik 2016-10-04 13:37:42 UTC 
Based on the discussion on the mailing list, I don't see any reason to keep it in /etc/shells in Rawhide - so I tend to remove it in next Rawhide build.
Comment 5 Fedora End Of Life 2017-02-28 10:21:02 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 6 Jan Kurik 2017-08-15 08:08:20 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 7 Martin Pitt 2018-04-11 10:54:54 UTC 
Can this be done now? This keeps being a security vulnerability. E. g. a user with a nologin shell can log into Cockpit and do stuff there.
Comment 8 Ondrej Vasik 2018-04-16 12:09:50 UTC 
Ok, built in f28 and master...
Comment 9 Fedora Update System 2018-04-16 12:13:32 UTC 
setup-2.11.4-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f47268acd5
Comment 10 Martin Pitt 2018-04-16 12:39:45 UTC 
Thank you Ondrej!
Comment 11 Fedora Update System 2018-04-17 03:04:25 UTC 
setup-2.11.4-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f47268acd5
Comment 12 Doran Moppert 2018-04-24 06:18:57 UTC 
*** Bug 1571103 has been marked as a duplicate of this bug. ***
Comment 13 Fedora Update System 2018-04-27 04:03:58 UTC 
setup-2.11.4-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Kenneth Porter 2019-01-10 21:54:56 UTC 
This change is in RHEL 7.6 and elicited bug 1647485 affecting vsftpd (ie. release change notes didn't warn of the effect on FTP users).
Note You need to log in before you can comment on or make changes to this bug.