Bug 1154167 - AUDIT-FIND: dehydrated: LPE from dehydrated user to root
AUDIT-FIND: dehydrated: LPE from dehydrated user to root
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
unspecified
Other Other
: P5 - None : Minor
: ---
Assigned To: Daniel Molkentin
Security Team bot
:
Depends on:
Blocks: 1154062
  Show dependency treegraph
 
Reported: 2019-10-16 07:55 UTC by Johannes Segitz
Modified: 2021-03-29 15:25 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2019-10-16 07:55:26 UTC
in %pre
167 if [ -d %{_sysconfdir}/letsencrypt.sh ]; then mv %{_sysconfdir}/letsencrypt.sh %{_sysconfdir}/dehydrated; chown -R %{_user} %{_sysconfdir}/dehydrated; fi

I assume that's used for migrating. On systems with fs.protected_hardlinks=0:

sh-5.0$ pwd
/etc/dehydrated/accounts
sh-5.0$ id
uid=165(dehydrated) gid=456(dehydrated) groups=456(dehydrated)
sh-5.0$ ln /etc/shadow .
sh-5.0$ ls -lah
total 12K
drwx------ 2 dehydrated dehydrated 4.0K Oct 16 09:50 .
drwxr-x--- 8 root       dehydrated 4.0K Aug 10 14:00 ..
-rw-r----- 2 root       shadow     1.5K Oct 16 09:45 shadow


As root:
Ensure migration case is triggered:
mkdir /etc/letsencrypt.sh
zypper in -f dehydrated
ls -lah /etc/shadow
-rw-r----- 2 dehydrated shadow 1.5K Oct 16 09:45 /etc/shadow
Comment 1 Johannes Segitz 2019-10-16 12:36:42 UTC
So Daniel provided some context and I now understand that this will not work. But with that another issue arose. In the migration case the user dehydrated controls %{_sysconfdir}/dehydrated fully for a brief period. Right after the chown I can control the mv
if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi
So if
- the system has fs.protected_hardlinks=0
- the attacker wins the race
he can overwrite arbitrary files (only once during migration). Pretty low prio, but I still think we should remove the chown
Comment 2 Daniel Molkentin 2020-06-29 13:09:04 UTC
Fixed and submitted to Factory. Johannes, can you approve a minor version backport to SLE-15? Should be no bother.
Comment 3 OBSbugzilla Bot 2020-06-29 13:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1154167) was mentioned in
https://build.opensuse.org/request/show/817721 Factory / dehydrated
Comment 4 Johannes Segitz 2020-06-29 14:28:50 UTC
(In reply to Daniel Molkentin from comment #2)
Thank you.

I can't give you an approval for this. Please talk to Marcus Meissner about this
Comment 5 Daniel Molkentin 2020-06-29 14:30:39 UTC
Marcus, would you be ok with a minor version update in SLE15+? The current code base has been in factory for a few months now.
Comment 6 Marcus Meissner 2020-06-29 14:51:32 UTC
we can look at minor version updates, yes. if the outside interface / config is not changingh this would be ok
Comment 7 Daniel Molkentin 2020-06-29 14:53:29 UTC
No, that all continues to be compatible in that (minor) Features have been added, but none removed.
Comment 8 Marcus Meissner 2020-06-29 15:02:28 UTC
ok, then go ahead I would say
Comment 9 Daniel Molkentin 2020-06-30 13:54:56 UTC
Done. Closing.
Comment 10 OBSbugzilla Bot 2020-11-10 14:20:24 UTC
This is an autogenerated message for OBS integration:
This bug (1154167) was mentioned in
https://build.opensuse.org/request/show/847498 Backports:SLE-12 / dehydrated
Comment 11 Swamp Workflow Management 2020-11-14 17:15:12 UTC
openSUSE-RU-2020:1917-1: An update that has 5 recommended fixes and contains one feature can now be installed.

Category: recommended (moderate)
Bug References: 1091216,1110697,1139408,1154167,1169834
CVE References: 
JIRA References: SLE-11727
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    dehydrated-0.6.5-5.1
Comment 13 Swamp Workflow Management 2020-12-16 20:16:31 UTC
SUSE-RU-2020:3858-1: An update that has two recommended fixes and contains one feature can now be installed.

Category: recommended (moderate)
Bug References: 1154167,1178927
CVE References: 
JIRA References: SLE-11727
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    dehydrated-0.6.5-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-12-19 23:16:47 UTC
openSUSE-RU-2020:2289-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1154167,1178927
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    dehydrated-0.6.5-lp151.3.9.1
Comment 17 Swamp Workflow Management 2021-03-09 17:22:00 UTC
SUSE-RU-2021:0734-1: An update that has two recommended fixes and contains one feature can now be installed.

Category: recommended (moderate)
Bug References: 1154167,1178927
CVE References: 
JIRA References: SLE-15909
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    dehydrated-0.7.0-11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2021-03-16 20:17:08 UTC
openSUSE-RU-2021:0425-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1154167,1178927
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    dehydrated-0.7.0-lp152.3.3.1