Package: fcgiwrap Version: 1.1.0-12 Severity: critical Tags: patch, security
On a default installation of Debian 11 (bullseye) with other releases probably also affected, systemd socket file /lib/systemd/system/fcgiwrap.socket from package fcgiwrap contains no Mode= configuration parameter, making systemd pick the default 0666. The socket is therefore world accessible and any user on the system may, when package fcgiwrap is installed, elevate privileges and execute code as www-data user by communicating with the socket via fastcgi protocol. www-data is specified as User= and Group= in /lib/systemd/system/fcgiwrap.service, also supplied by package fcgiwrap. Proof of concept terminal recording: http://upload.sijanec.eu/f.mp4 Solution: add SocketMode=0660, SocketUser=www-data, Group=www-data to /lib/systemd/system/fcgiwrap.socket --- this would, however, break existing configurations that rely on /run/fcgiwrap.socket being world connectable. Is this intended behaviour? Doesn't it break user's expectations, as suddenly everyone can influence httpd (nginx slaves also run under www-data, for example)? ----- BEGIN PATCH ----- Author: Anton Luka Šijanec <an...@sijanec.eu> Description: Modify default user/group and listening mode of socket Forwarded: no --- a/systemd/fcgiwrap.socket +++ b/systemd/fcgiwrap.socketfixed @@ -3,6 +3,9 @@ Description=fcgiwrap Socket [Socket] ListenStream=/run/fcgiwrap.sock +Mode=0660 +SocketUser=www-data +SockerGroup=www-data [Install] WantedBy=sockets.target ----- END PATCH ----- Attachments: root@host:~# ls -lah /run/fcgiwrap.socket srw-rw-rw- 1 root root 0 Nov 8 19:42 /run/fcgiwrap.socket => /lib/systemd/system/fcgiwrap.socket [Unit] Description=fcgiwrap Socket [Socket] ListenStream=/run/fcgiwrap.socket [Install] WantedBy=sockets.target => /lib/systemd/system/fcgiwrap.service [Unit] Description=Simple CGI Server After=nss-user-lookup.target Requires=fcgiwrap.socket [Service] Environment=DAEMON_OPTS=-f EnvironmentFile=-/etc/default/fcgiwrap ExecStart=/usr/sbin/fcgiwrap ${DAEMON_OPTS} User=www-data Group=www-data [Install] Also=fcgiwrap.socket -- Anton Luka Šijanec <an...@sijanec.eu> F4C3E3A4DFB7254397A9F993E76135F49802CD14 http://splet.sijanec.eu/pgp-key.txt