[Touch-packages] [Bug 1787548] Re: PAM fscrypt adds root(0) group to all users called by su

Thu, 23 Aug 2018 11:51:28 -0700 

I've uploaded an fscrypt security update to the Ubuntu Security PPA.
Ubuntu Security will release it once they've reviewed and approved the
changes.

** Information type changed from Private Security to Public Security

** Changed in: shadow (Ubuntu)
       Status: New => Invalid

** Changed in: shadow
       Status: New => Invalid

** Changed in: fscrypt (Ubuntu)
       Status: New => Confirmed

** Changed in: fscrypt (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1787548

Title:
  PAM fscrypt adds root(0) group to all users called by su

Status in Shadow:
  Invalid
Status in fscrypt package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Invalid

Bug description:
  related packages: /bin/su (from login , shadow)

  OS: ubuntu 18.04.1, updated

  Bug: a normal user (not in 'root' group), when the PAM module fscrypt
  is active, all calls of su give the user additional group root(0).

  Results: this is a permission escalation, such user can now delete
  files owned by root group (where permisions are g+w)

  Steps to reproduce: 
  0/ login uses pam unix authentication module (default on ubuntu, no action 
needed)
  0.1/ create a new user: 
  # useradd developer

  1/ verify:
  #id developer 
  // on my system, shows
  // uid=1004(developer) gid=1004(developer) groups=1004(developer) 
  \su - developer -c id
  sudo -u developer id

  2/ enable pam-fscrypt
  # apt install libpam-fscrypt
  # pam-auth-update --enable fscrypt

  3/ verify again (bug shows)
  // repeate step 1/ 
  // the su command will show the bug (sudo won't, interestingly)
  \su - developer -c id
  // uid=1004(developer) gid=1004(developer) groups=1004(developer),0(root)

  4/ workaround and return to original state:
  pam-auth-update --disable fscrypt
  apt remove  libpam-fscrypt

  Thank you,

To manage notifications about this bug go to:
https://bugs.launchpad.net/shadow/+bug/1787548/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to