Bug#889491: trousers: root escalation from tss user on kernels that do not have fs.protected_hardlinks=1

Sat, 03 Feb 2018 12:39:48 -0800 

Package: trousers
Version: 0.3.14+fixed1-1
Severity: normal
Tags: patch security

trousers.postinst has:

case "${1}" in
        configure)
                # Adding tss system user
                adduser --system --quiet --home /var/lib/tpm --shell /bin/false 
--no-create-home --group tss

                # Setting owner
                chown tss:tss /var/lib/tpm -R
                chown tss:tss /etc/tcsd.conf



This means that upon package configuration, there will be a recursive
chown of the contents of /var/lib/tpm to be owned by the tss user.

if the tss user account is compromised, and the kernel is running
without fs.protected_hardlinks=1, then the tss can link to arbitrary
files on the same filesystem as this directory, and wait for a package
upgrade to gain ownership of the linked file.

I've only looked at testing/unstable, but i would guess that this
security bug goes back a long way.

It can be fixed simply by making this chown non-recursive:


--- /var/lib/dpkg/info/trousers.postinst        2016-11-20 10:10:31.000000000 
-0500
+++ ./trousers.postinst 2018-02-03 15:34:19.655511509 -0500
@@ -8,7 +8,7 @@
                adduser --system --quiet --home /var/lib/tpm --shell /bin/false 
--no-create-home --group tss
 
                # Setting owner
-               chown tss:tss /var/lib/tpm -R
+               chown tss:tss /var/lib/tpm
                chown tss:tss /etc/tcsd.conf
 
                # Setting permissions


thanks for maintaining trousers in debian!

       --dkg


-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages trousers depends on:
ii  adduser    3.116
ii  libc6      2.26-4
ii  libssl1.1  1.1.0g-2
ii  lsb-base   9.20170808

trousers recommends no packages.

trousers suggests no packages.

-- Configuration Files:
/etc/tcsd.conf [Errno 13] Permission denied: '/etc/tcsd.conf'

-- no debconf information

Reply via email to