From 7937b9f18085569e5d7cb8a3c4dc08e1088a94a9 Mon Sep 17 00:00:00 2001 From: Maxime Devos Date: Sat, 3 Apr 2021 18:02:05 +0200 Subject: [PATCH] =?UTF-8?q?website:=20Add=20post=20about=20vulnerability?= =?UTF-8?q?=20in=20=E2=80=98copy-account-skeletons=E2=80=99.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * website/posts/home-symlink.md: New post. --- website/posts/home-symlink.md | 103 ++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 website/posts/home-symlink.md diff --git a/website/posts/home-symlink.md b/website/posts/home-symlink.md new file mode 100644 index 0000000..9289870 --- /dev/null +++ b/website/posts/home-symlink.md @@ -0,0 +1,103 @@ +title: Risk of local privilege escalation in account creation +date: 2021-04-03 17:30 +author: Maxime Devos +tags: Security Advisory +--- + +A security vulnerability that can lead to local privilege escalation +has been found in the activation code of user accounts (excluding +system accounts). It does not affect users on foreign distros +and is only exploitable during system reconfiguration. + +This exploit is _not_ impossible on machines where the Linux [protected +symlinks](https://sysctl-explorer.net/fs/protected_symlinks/) feature +is enabled. It is believed the attack can also be performed using hard +links. + +# Vulnerability + +The attack consists of the user being logged in after the account +skeletons have been copied to the home directory, but before the +owner of the account skeletons have been set. The user then deletes +a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces +it with a symbolic link to a file not owned by the user, such as +`/etc/shadow`. + +The activation code then changes the ownership of the file the symbolic +link points to instead of the symbolic link itself. At that point, the +user has read-write access to the target file. + +# Fix + +This [bug](https://issues.guix.gnu.org/47584) has been + +[fixed](https://git.savannah.gnu.org/cgit/guix.git/commit/?id= XXX). +See below for upgrade instructions. + +The fix consist of initially creating the home directory root-owned and only +changing the owner of the home directory once all skeletons have been copied +and their owner has been set. + +# Upgrading + +To upgrade the Guix System, run something like: + +``` +guix pull +sudo guix system reconfigure /run/current-system/configuration.scm +sudo reboot +``` + +As the user account activation code is run as a shepherd service, +the last step is required to make sure the fixed activation code +is run in the future. + +To avoid the vulnerability while upgrading the system, only declare +new user accounts in the configuration file after the Guix System +has been upgraded. + +# Conclusions + +The activation code in Guix System originally was written with the +assumption that no other code was running at the same time in mind. +However, this is not a reasonable assumption in practice, as this +vulnerability demonstrates. Thus, it may be worthwhile to look +over other activation code for similar issues. + +While investigating how to fix the issue, it became apparent GNU Guile, +the implementation of the Algorithmic Language Scheme GNU Guix is +written in, is lacking in primitives that usually are used to avoid +these kind of issues, such `openat` and `O_NOFOLLOW`. + +While these primitives turned out not to be necessary to fix the +issue and a [patch series]() +to GNU Guile has been submitted that adds these primitives, this does +serve as a remainder that GNU Guile is a critical component of +Guix System and working around missing primitives will not always be possible. + +This issue is tracked as +[bugĀ #47584](https://issues.guix.gnu.org/47584); you can read the thread +for more information. + +Please report any issues you may have to +[`guix-devel@gnu.org`](https://guix.gnu.org/en/contact/). See the +[security web page](https://guix.gnu.org/en/security/) for information +on how to report security issues. + +#### About GNU Guix + +[GNU Guix](https://guix.gnu.org) is a transactional package manager and +an advanced distribution of the GNU system that [respects user +freedom](https://www.gnu.org/distros/free-system-distribution-guidelines.html). +Guix can be used on top of any system running the Hurd or the Linux +kernel, or it can be used as a standalone operating system distribution +for i686, x86_64, ARMv7, and AArch64 machines. + +In addition to standard package management features, Guix supports +transactional upgrades and roll-backs, unprivileged package management, +per-user profiles, and garbage collection. When used as a standalone +GNU/Linux distribution, Guix offers a declarative, stateless approach to +operating system configuration management. Guix is highly customizable +and hackable through [Guile](https://www.gnu.org/software/guile) +programming interfaces and extensions to the +[Scheme](http://schemers.org) language. -- 2.31.1