Bug 1528439 - unbound: Privilege escalation via writable config file
Summary: unbound: Privilege escalation via writable config file
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20171221,repor...
Depends On: 1528445
Blocks: 1528446
TreeView+ depends on / blocked
Reported: 2017-12-21 20:22 UTC by Pedro Sampaio
Modified: 2019-06-08 22:34 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-22 02:57:52 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2017-12-21 20:22:45 UTC
As reported:

The ebuilds for net-dns/unbound create the "unbound" user with its home directory set to /etc/unbound:

  pkg_setup() {
    enewgroup unbound
    enewuser unbound -1 -1 /etc/unbound unbound

    use python && python-single-r1_pkg_setup

As a result, /etc/unbound is writable by the "unbound" user. However, that's where the sensitive unbound.conf gets installed (as root:root):

  $ /bin/ls -al /etc/unbound/
  total 44
  drwxr-xr-x  2 unbound root  4096 Dec 14 13:59 .
  drwxr-xr-x 79 root    root  4096 Dec 14 13:59 ..
  -rw-r--r--  1 root    root 34276 Dec 14 13:59 unbound.conf

That conf file must only be writable by root; at least...

  * the OpenRC service script uses the value of "pidfile" found
    in unbound.conf, so anyone who can edit that file can clobber
    things on the fileystem.

  * the daemon binds to its interface and port as root, so the
    "unbound" user could bind to e.g. port 80.

  * From daemon/unbound.c and daemon/remote.c, it looks like unbound
    will call "chown" on its pidfile/socket respectively, meaning that
    if the "unbound" user can alter the pidfile or local socket location,
    then he can take control of any file the next time the daemon is
    started. (I haven't tested this one, because the first two are bad



Comment 1 Pedro Sampaio 2017-12-21 20:53:05 UTC
Created unbound tracking bugs for this issue:

Affects: fedora-all [bug 1528445]

Comment 2 Doran Moppert 2017-12-22 02:49:46 UTC
The description sounds specific to Gentoo's packaging of unbound, and indeed Fedora + RHEL's configuration does not have this issue:

    # cd /etc/unbound
    # ls -laZ
    drwxr-xr-x.   5 root root    system_u:object_r:named_conf_t:s0  4096 Dec 22 12:53 .
    drwxr-xr-x. 175 root root    system_u:object_r:etc_t:s0        12288 Dec 22 09:41 ..
    drwxr-xr-x.   2 root unbound system_u:object_r:named_conf_t:s0  4096 Dec 22 12:53 conf.d
    -rw-r--r--.   1 root root    system_u:object_r:named_conf_t:s0 13026 Dec  2 02:33 icannbundle.pem
    drwxr-xr-x.   2 root unbound system_u:object_r:named_conf_t:s0  4096 Dec 22 12:53 keys.d
    drwxr-xr-x.   2 root unbound system_u:object_r:named_conf_t:s0  4096 Dec 22 12:53 local.d
    -rw-r--r--.   1 root root    system_u:object_r:dnssec_t:s0       939 Dec  2 02:44 root.key
    -rw-r--r--.   1 root root    system_u:object_r:named_conf_t:s0 35901 Dec  2 02:33 unbound.conf


    # ls -lZ conf.d/* local.d/*
    -rw-rw-r--. root unbound system_u:object_r:named_conf_t:s0 conf.d/example.com.conf
    -rw-rw-r--. root unbound system_u:object_r:named_conf_t:s0 local.d/block-example.com.conf

Default /etc/unbound/unbound.conf includes conf.d/*.conf and local.d/*.conf, including these default (empty except comments) files.

SELinux prevents unbound (named_t) from writing these files *even prior to dropping privs*, but with SELinux disabled it is possible that a compromise of unbound could use these writable files to clobber other filesystem objects, possibly privesc.

I think removing g+w permissions from these files should be considered to add a layer of protection for non-SELinux environments, but it is not an urgent fix since SELinux effectively mitigates and unbound has a strong security track record.

Note You need to log in before you can comment on or make changes to this bug.