Bugzilla – Bug 1150336
AUDIT-1: roccat-tools: review of setgid directory /var/lib/roccat
Last modified: 2020-09-02 15:27:45 UTC
+++ This bug was initially created as a clone of Bug #1150189 Like discussed in the proactive security team we want to catch up with packages installing set*id items that haven't been whitelisted yet in the permissions package. Formerly this rpmlint check type didn't cause badness and therefore didn't require packagers to actually have them reviewed. roccat-tools is one of the packages installing a setgid directory that isn't currently whitelisted: /var/lib/roccat drwxrws--- from roccat-tools-5.7.0-1.7.i586.rpm The secure use of this directory needs to be reviewed and if all is good a whitelisting entry in all our permission profiles must be added.
The plan with roccat-tools seems to be to share the profiles in /var/lib/roccat between multiple users. Every user who want to use the tools needs to be a member of the roccat group. The fun thing then is that all sub-directories and files created by the GUI tools below the directory also have mode 2770 or 0660 respectively. This means every member of the roccat group may modify and manipulate the profiles that other users may be using. Since this seems to be an explicit use case that roccat-tools are considering this is quite a serious security issue. Some of the controllers here also allow setting key macro sequences of up to ~450 key strokes. This would even allow a kind of code execution injection. The files stored in the sub-directories are plain binary files from C data structures written to disk. This might even allow further attack surface like stack buffer overflows and similar. Furthermore sub-directories can be replaced by symlinks, causing the tools write profile data in arbitrary other locations. Since the file names are mostly fixed it's difficult to construct a successful attack, however. On write symlinks are replaced. I'm keeping this bug private for the moment and I will report to upstream my concerns. A quick fix on our side would be to simply replace the /var/lib/roccat prefix by /home/$user/.roccat and be done with it.
I'm assigning this to you darix, or is there a chance matthias@mailaender.name can take care of this? I want to add the settings for /var/lib/roccat tools to the permissions package. For this to work you must first drop the roccat user, however. And the you need to invoke %verify_permissions et al in your spec file. Afterwards I can add the whitelisting entry.
roccat-tools got deleted from Factory via sr#800517, because it failed to build for a long time (because the whitelisting wasn't in place). This was not the intention of the security team. The whitelisting requires the changes depicted in comment 2, however. When you want to re-add the package to Factory then feel free to adjust the package and re-open this bug.
This software is unmaintained as the original developer resigned. No new hardware support will be added. https://www.reddit.com/r/linux_gaming/comments/5js1l2/im_stefan_achatz_stopping_programming_linux/