Your message dated Fri, 30 Aug 2019 19:34:17 +0000 with message-id <[email protected]> and subject line Bug#935991: fixed in dh-runit 2.8.14 has caused the Debian Bug report #935991, regarding dh-runit: please avoid excessive/dangerous chown/chmod to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 935991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935991 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dh-runit Version: 2.8.13.2 Tags: security Control: affects -1 tor openssh-server by default, dh-runit sets up logging runscripts like this: ------------ 1 #!/bin/sh 2 chown -R runit-log:adm '/var/log/runit/tor' 3 chmod 750 '/var/log/runit/tor' 4 chmod u+rw,g+r,o-rwx '/var/log/runit/tor'/* 5 exec chpst -u runit-log svlogd -tt '/var/log/runit/tor' ------------ Lines 2 and 4 are dangerous due to linking attacks. hardlinks and chown (line 2) ---------------------------- If /var/log/runit/tor happens to be on the same filesystem as another interesting file, and fs.protected_hardlinks is not set to 1, then the runit-log user can get read/write access to that data by hard-linking to it, and waiting for line 2 to trigger at the next launch of the logging process. Even if fs.protected_hardlinks is set to 1, line 2 permits the runit-log user to gain ownership of any file in the same filesystem that they merely have read-write access to. Note that fs.protected_hardlinks just protects *creation* of a hardlink while that sysctl property is set. So even a single reboot into a kernel with fs.protected_hardlinks=0 by default, or a brief switch to fs.protected_hardlinks=0 provides a window of opportunity for the hardlink to be created, which sets the stage for the subsequent compromise when this runscript is launched again later. As long as the link is made, the compromise happens at the next launch, even if fs.protected_hardlinks is back to 1 at that point. symlinks and chmod (line 4) --------------------------- line 4 permits the runit-log user to change the permissions in the specified way on *any* file in the filesystem, just by symlinking to that file from within the specified directory. from chmod(1): However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file. In contrast, chmod ignores symbolic links encountered during recursive directory traversals. fs.protected_symlinks=1 offers no protection against this because /var/log/runit/tor/ is not a sticky world-writable directory. granted, these are fairly standard constrained permissions, and won't be a serious security risk for many files, but it is a surprising side effect that the runit-log user gets this sort of power over any file anywhere in the filesystem. how to fix ---------- It is a better policy to non-recursively chown/chmod the top-level directory (/var/log/runit/tor in this example) and to not touch any file below there. If that strategy fails, it fails because something is already wrong in that directory. If the goal of this promiscuous chown/chmod action is to provide group adm with read access to the files in question, it is better to have the runit-log user do that explicitly (i.e. to implement it in svlogd, perhaps with acls?). --dkg
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: dh-runit Source-Version: 2.8.14 We believe that the bug you reported is fixed in the latest version of dh-runit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Bogatov <[email protected]> (supplier of updated dh-runit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 30 Aug 2019 19:13:17 +0000 Source: dh-runit Architecture: source Version: 2.8.14 Distribution: unstable Urgency: medium Maintainer: Dmitry Bogatov <[email protected]> Changed-By: Dmitry Bogatov <[email protected]> Closes: 929778 934173 934500 935991 935997 938967 938968 Changes: dh-runit (2.8.14) unstable; urgency=medium . * Ensure that all supported scripts in svdir are executable (Closes: #934173) * Move supervise directories of generated packages to tmpfs (Closes: #934500) * Add new option for dh_runit: presubj (Closes: #929778) * Fix indentation of `runit-helper' * Ensure that supervise link change does not break running services * Do not impose unneeded dependency on runit-helper (Closes: #935997) * Temporary disable testsuite due build-dependency transition * Avoid dangerous chown/chmod in log runscript. Thanks to Daniel Kahn Gillmor <[email protected]> (Closes: #935991) * Remove vim/emacs modelines from maintainer script snippets (Closes: #938967) * Do not pollute namespace in maintainer scripts (Closes: #938968) Checksums-Sha1: b656e9566fddff3a2602fd730e3dfd198f497ad4 1795 dh-runit_2.8.14.dsc b240c811b3b57ea2610034071bd403782673caba 11752 dh-runit_2.8.14.tar.xz 65bc66fb0e7e6e76150f7efafe7b6f87c3233f2a 5846 dh-runit_2.8.14_source.buildinfo Checksums-Sha256: f5f9a8795942e887c75af7917f11016b5d6cecfdf81d17818d1e0c6663a6fc94 1795 dh-runit_2.8.14.dsc 95324e7e5b45e1bb9e7ac40bbcde2cae9b72238b932d6006f8b2a9ef2561fc59 11752 dh-runit_2.8.14.tar.xz 2b042e966b68d26768ce62ce8d566d151481ae9d4d3c9208b56d676bba2f1458 5846 dh-runit_2.8.14_source.buildinfo Files: 9c22986c2fe8794bcc478509fc1242e3 1795 admin optional dh-runit_2.8.14.dsc 4afc14ee13a796cff3b191c4086b7610 11752 admin optional dh-runit_2.8.14.tar.xz 58dccfc63b42f6c1c929108787aedc30 5846 admin optional dh-runit_2.8.14_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEhnHVzDbtdH7ktKj4SBLY3qgmEeYFAl1pdZ4THGthY3Rpb25A ZGViaWFuLm9yZwAKCRBIEtjeqCYR5sXKD/401Mj0uwRTwvVsrDdyXkD90rKqVL7j 3Xvx8l0WNho8yJnAAXpsxl8l8XpePB2x9bZ2rZm7T1Z8B8yMITggx6rLZsb8yhiv 5jM0pt87YSRXS1GgaNe/GEJk9N4Ri3B70KA07yIJJKsQOzHeHyp1nfXpXcmqKN+9 q+z3isHEhTuEYjio3JOGkCOkXEzOY0cp5VkmfUQByBc2NvUv+FLzyq2imoYVtK9R YfH9Ex9drJm0bJZsAdjNFB7e/eowXSHlk7VSKwqnNO3jUfKYg88iHpppGgvKYAHE EdYS9If4NDuazf9JoZhjUoukx8xAZX3BBv6Ioikat6IFQMWb0ntNXokaVwKNwYXe 7iliXKS4GCY8tIhORx46mjxDT9yHUB0y6PWwXdPW+HqsZpzoAzlx+ZcVDHqXUn9K f/Kv/vSNtwER3Q6BlDPODOjJK4ecQtJjdPbYs8eoCvxjAVGZjqeOpvvQAalQ1UX+ 2v4BlTIRvV3QKHkNar6JB7yE+FZASjQti3jDNewk92J8Q+R0gfZ2bpu2MRyi6oZn uviuniwcOWxT3+sN71JcT3EBsddITE6G76vS93LouraTBBoGB27BDePzjQgKuon5 zRxf4JtGOL3TGNldzTPR5xANbbi7Tux3zTNwRegv3OxdcnbOgfEj2gZyemw2KK32 LPrTL/qfDcZOxw== =88aK -----END PGP SIGNATURE-----
--- End Message ---
