I've uploaded an fscrypt security update to the Ubuntu Security PPA. Ubuntu Security will release it once they've reviewed and approved the changes.
** Information type changed from Private Security to Public Security ** Changed in: shadow (Ubuntu) Status: New => Invalid ** Changed in: shadow Status: New => Invalid ** Changed in: fscrypt (Ubuntu) Status: New => Confirmed ** Changed in: fscrypt (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1787548 Title: PAM fscrypt adds root(0) group to all users called by su Status in Shadow: Invalid Status in fscrypt package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Invalid Bug description: related packages: /bin/su (from login , shadow) OS: ubuntu 18.04.1, updated Bug: a normal user (not in 'root' group), when the PAM module fscrypt is active, all calls of su give the user additional group root(0). Results: this is a permission escalation, such user can now delete files owned by root group (where permisions are g+w) Steps to reproduce: 0/ login uses pam unix authentication module (default on ubuntu, no action needed) 0.1/ create a new user: # useradd developer 1/ verify: #id developer // on my system, shows // uid=1004(developer) gid=1004(developer) groups=1004(developer) \su - developer -c id sudo -u developer id 2/ enable pam-fscrypt # apt install libpam-fscrypt # pam-auth-update --enable fscrypt 3/ verify again (bug shows) // repeate step 1/ // the su command will show the bug (sudo won't, interestingly) \su - developer -c id // uid=1004(developer) gid=1004(developer) groups=1004(developer),0(root) 4/ workaround and return to original state: pam-auth-update --disable fscrypt apt remove libpam-fscrypt Thank you, To manage notifications about this bug go to: https://bugs.launchpad.net/shadow/+bug/1787548/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp