From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 4KDBMAtTImAfGwAA0tVLHw (envelope-from ) for ; Tue, 09 Feb 2021 09:16:59 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id oFqhLAtTImCcHgAAB5/wlQ (envelope-from ) for ; Tue, 09 Feb 2021 09:16:59 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C701E94053D for ; Tue, 9 Feb 2021 09:16:58 +0000 (UTC) Received: from localhost ([::1]:56840 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l9P8j-0003pU-Nf for larch@yhetil.org; Tue, 09 Feb 2021 04:16:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35748) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l9OuI-0005H9-D7 for bug-guix@gnu.org; Tue, 09 Feb 2021 04:02:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:41074) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l9OuI-0008Iw-2y for bug-guix@gnu.org; Tue, 09 Feb 2021 04:02:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1l9OuH-0000BS-WB for bug-guix@gnu.org; Tue, 09 Feb 2021 04:02:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#46395: Setuid programs are setgid-root: possible local privilege escalation Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 09 Feb 2021 09:02:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 46395 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46395@debbugs.gnu.org X-Debbugs-Original-To: Received: via spool by submit@debbugs.gnu.org id=B.1612861312689 (code B ref -1); Tue, 09 Feb 2021 09:02:01 +0000 Received: (at submit) by debbugs.gnu.org; 9 Feb 2021 09:01:52 +0000 Received: from localhost ([127.0.0.1]:52620 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l9Ou8-0000B3-7j for submit@debbugs.gnu.org; Tue, 09 Feb 2021 04:01:52 -0500 Received: from lists.gnu.org ([209.51.188.17]:50146) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l9Ou5-0000Aq-W5 for submit@debbugs.gnu.org; Tue, 09 Feb 2021 04:01:50 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35662) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l9Ou4-0005CF-65 for bug-guix@gnu.org; Tue, 09 Feb 2021 04:01:49 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:41834) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l9Ou3-0008DG-Ue for bug-guix@gnu.org; Tue, 09 Feb 2021 04:01:47 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=60368 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1l9Ou3-0008Qz-Bp for bug-guix@gnu.org; Tue, 09 Feb 2021 04:01:47 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 20 =?UTF-8?Q?Pluvi=C3=B4se?= an 229 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 09 Feb 2021 10:01:45 +0100 Message-ID: <87pn19ty12.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.96 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: C701E94053D X-Spam-Score: -4.96 X-Migadu-Scanner: scn1.migadu.com X-TUID: 8RZ60S2snoNo --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Duncan Overbruck reported on guix-security on Jan. 30th that on Guix System, programs listed in =E2=80=98setuid-programs=E2=80=99 all end u= p being setuid-root *and* setgid-root (this issue is only relevant to Guix System users; users of Guix on =E2=80=9Cforeign=E2=80=9D distros are unaffe= cted). The latter could potentially lead to local privilege escalation because these programs are usually designed to be setuid-root, but not setgid-root. As Duncan wrote: > The issue is that if those programs like ping are not aware of being > installed with setgid and then fail to drop full privileges. > > In case someone finds a vulnerability in ping, that happens somewhere aft= er > the privileges should have been dropped then you have a privilege escalat= ion > issue and not just a buffer overflow in code running as the user. > > Another case would be as example dbus-launch-helper usually owned by > root:dbus and is not executable by others, but in guix is root:root > and readable/executable by others, this could potentially open more > attack surface. > > With forcing every single setuid binary to be just root:root 06555 you > deviate from the developers intended permission and there could be someth= ing > that is going to be exploitable just because guix deviates from that. We do not know of any exploitation of this issue. For completeness, here is the list of setuid programs one may get on Guix System by using the settings and services currently provided (=E2=80=98service-types/setuid= =E2=80=99 comes from the attached file): =2D-8<---------------cut here---------------start------------->8--- scheme@(guile-user)> ,use(gnu system) scheme@(guile-user)> ,pp %setuid-programs $32 =3D (# "/bin/passwd"> # "/bin/sg"> # "/bin/su"> # "/bin/newgrp"> # "/bin/newuidmap"> # "/bin/newgidmap"> # "/bin/ping"> # "/bin/ping6"> # "/bin/sudo"> # "/bin/sudoedit"> # "/bin/fusermount"> # "/bin/mount"> # "/bin/umount">) scheme@(guile-user)> ,pp (service-types/setuid) $33 =3D (# # # # #) =2D-8<---------------cut here---------------end--------------->8--- The immediate fix is to not make those programs setgid-root (patch attached). (Incidentally, Chris Webber proposed to make it explicit, which we=E2=80=99= ll do eventually: .) Many thanks to Duncan Overbruck for reporting the issue! Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline Content-Transfer-Encoding: quoted-printable diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 4b67926e88..83586ce16c 100644 =2D-- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -234,7 +234,7 @@ they already exist." "/" (basename prog)))) (copy-file prog target) (chown target 0 0) =2D (chmod target #o6555))) + (chmod target #o4555))) =20 (format #t "setting up setuid programs in '~a'...~%" %setuid-directory) --=-=-= Content-Type: text/plain Content-Disposition: inline; filename=setuid-programs.scm Content-Description: code snippet (use-modules (gnu services) (srfi srfi-1) (srfi srfi-26)) (define (provides-setuid-programs? type) (find (lambda (extension) (eq? (service-extension-target extension) setuid-program-service-type)) (service-type-extensions type))) (define (service-types/setuid) (fold-service-types (lambda (type result) (if (provides-setuid-programs? type) (cons type result) result)) '())) --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJBBAEBCgArFiEEPORkVYqE/cadtAz7CQsRmT2a67UFAmAiT3kNHGx1ZG9AZ251 Lm9yZwAKCRAJCxGZPZrrtd2+D/4kzOYIxnG13aXAmuZBk9WPd2W0NN2Xb0sxU9ej aYYaHPh/IXA3bDT65cdwGX8yHhhFTqHvgVcPBgOYR5vX89FW0Sc2vCR59lrCddy3 xhNX7y8lYXgUOkkj9O8OIzHdwUd3hMvKoQWBqG/yYD7enqaV9fkATSYcUPre8qbl +V1q+/C+78JKehaD7cJpZCiVyltj7m6LCuBSyzKzvxbzg13+elH/QtORjloHLXOl 2E2O+Sd5stI5X69XlftFNPDnuM/Mj7b5xoH5xI7fTagSmnXk8M1zy95wt2Cm+6QQ UhkfO7nQ7csBIxq6O5RIVpCCtSjTiCNirK83AsDX16VtRkf+e1lxffy/uwFE0+Cr BA398PSzUVHTJyHYTYeZyIqH/0QDhzbJogD91x7T3q61zZ8R+Fu34rVXb0IJKbLK tn+MTZL+dvBC02bqs23qr8jsKY2Gxfa2P3guz/DH0tR3RsS3GNlpt0oA0axJLGSf Gpdqwx1i7/5A3+tHgqVsHPXk9ooQQxEeaAtuU/CCmrsL0KRh0tNwEFxdfU22lZzK jhSneKBWYYDfAm3w3id+VK+iQiV5j1/XchjYBWUj6kIEm6X8XNTAxKOY+Zv3h2L4 ZAKsOJWVVlaUtzS+7k90azmB0/rZ2GNpVQxNUz4f5WbPW3OQYqxP3ePcoq8rPbYd awbo6Q== =aIrO -----END PGP SIGNATURE----- --==-=-=--