It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user. Vulnerable code (lib/common/ipc.c): 317 if(gid_cluster != 0 && gid_client != 0) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 318 uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */ 319 320 if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */ ^^^^^^^^^^^^^^^^ 321 best_uid = QB_MAX(uid_client, uid_server); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 322 crm_trace("Allowing user %u to clean up after disconnect", best_uid); 323 } 324 325 crm_trace("Giving access to group %u", gid_cluster); 326 qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^ 327 } Introduced with commit https://github.com/ClusterLabs/pacemaker/commit/5fe63f902b35bfed9cee117060a3ba7830d548f5 Affected pacemaker versions =========================== Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version Pacemaker-1.1.15 (2016-06-21). This covers all pacemaker packages since at least RHEL 6.5 (up to what's currently queued for RHEL 7.3). Affected pacemaker daemons ========================== - union of those running as root: . pacemakerd . stonithd . lrmd and those exposing IPC API: . lrmd . ...? References ========== Upstream patch : https://github.com/ClusterLabs/pacemaker/commit/5d71e65049 Upstream discussion : http://clusterlabs.org/pipermail/users/2016-November/004432.html Disclosure email : http://www.openwall.com/lists/oss-security/2016/11/03/5
Acknowledgments: Name: Jan "poki" Pokorny (Red Hat), Alain Moulle (ATOS/BULL)
*** Bug 1369467 has been marked as a duplicate of this bug. ***
*** Bug 1379782 has been marked as a duplicate of this bug. ***
Created pacemaker tracking bugs for this issue: Affects: fedora-all [bug 1391386]
Created attachment 1216896 [details] Fix, latest version
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2614 https://rhn.redhat.com/errata/RHSA-2016-2614.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2675 https://rhn.redhat.com/errata/RHSA-2016-2675.html