From: "Ludovic Courtès" <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Cc: 47584@debbugs.gnu.org
Subject: bug#47584: Race condition in ‘copy-account-skeletons’: possible privilege escalation.
Date: Mon, 05 Apr 2021 21:54:56 +0200 [thread overview]
Message-ID: <87zgycqzfz.fsf@gnu.org> (raw)
In-Reply-To: <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> (Maxime Devos's message of "Sun, 04 Apr 2021 09:36:05 +0200")
Hi Maxime,
Maxime Devos <maximedevos@telenet.be> skribis:
> On Sat, 2021-04-03 at 22:33 +0200, Ludovic Courtès wrote:
>> Maxime Devos <maximedevos@telenet.be> skribis:
>>
>> > The attack consists of the user being logged in after the account
>> > skeletons have been copied to the home directory, but before the
>> > owner of the account skeletons have been set. The user then deletes
>> > a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces
>> > it with a symbolic link to a file not owned by the user, such as
>> > @file{/etc/shadow}.
>> >
>> > The activation code then changes the ownership
>> > of the file the symbolic link points to instead of the symbolic
>> > link itself. At that point, the user has read-write access
>> > to the target file.
>>
>> In the draft blog post, you mention that the attack cannot be carried
>> out when protected symlinks are enabled.
>
> In the blog post, I thought I wrote the attack can be carried out
> *even if* protected symlinks are enabled. Looking at
>
> https://sysctl-explorer.net/fs/protected_symlinks/,
>
> I don't think the Linux protected symlink feature helps, as home
> directories are never sticky and word-writable.
Oh right, my bad, I overlooked this.
> Perhaps I should have written ‘possible’ instead of ‘not impossible’
> in the blog post.
Dunno, maybe it’s just me not paying enough attention.
> I agree with all other comments on this bug report.
OK. It does mean that the bug is hardly exploitable in practice: you
have to be able to log in at all, and if you’re able to log in, you have
to log in precisely within the 1s (or less) that follows account
creation, which sounds challenging (TCP + SSH connection establishment
is likely to take as much time or more, likewise for typing in your
password.) It’s also one-time chance.
Do I get it right?
Does it warrant as strong messaging as for the recent daemon
‘--keep-failed’ vulnerability?
Thanks,
Ludo’.
next prev parent reply other threads:[~2021-04-05 19:56 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-03 16:09 bug#47584: Race condition in ‘copy-account-skeletons’: possible privilege escalation Maxime Devos
2021-04-03 16:22 ` Maxime Devos
2021-04-03 16:32 ` Maxime Devos
2021-04-03 20:15 ` Ludovic Courtès
2021-04-03 16:26 ` Maxime Devos
2021-04-03 20:45 ` Ludovic Courtès
2021-04-03 20:49 ` Ludovic Courtès
2021-04-04 13:29 ` Maxime Devos
2021-04-03 20:27 ` Ludovic Courtès
2021-04-03 20:33 ` Ludovic Courtès
2021-04-04 7:36 ` Maxime Devos
2021-04-05 19:54 ` Ludovic Courtès [this message]
2021-04-06 9:56 ` Maxime Devos
2021-04-06 11:57 ` Ludovic Courtès
2021-04-07 18:28 ` Maxime Devos
2022-10-21 9:31 ` Maxime Devos
2022-10-28 16:03 ` bug#47584: [DRAFT PATCH v2 0/4] Fix race condition in mkdir-p/perms Maxime Devos
2022-10-28 16:04 ` bug#47584: [PATCH 1/3] guile-next: Update to 3.0.8-793fb46 Maxime Devos
2022-10-28 16:04 ` bug#47584: [PATCH 2/3] WIP gnu: Change the Guile used for activation to one that has 'openat' Maxime Devos
2022-10-28 16:04 ` bug#47584: [PATCH 3/3] activation: Fix TOCTTOU in mkdir-p/perms Maxime Devos
2022-10-28 16:05 ` bug#47584: [PATCH 1/3] guile-next: Update to 3.0.8-793fb46 Maxime Devos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zgycqzfz.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=47584@debbugs.gnu.org \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).