I reviewed `wsl-pro-service` `0.1.1` as checked into Noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. For the sake of completeness, this review will also mention findings reported in previous GitHub issues and Launchpad comments.
Ubuntu Pro for WSL (abbreviated UP4W) is a set of applications to manage Ubuntu WSL instances, grant them Pro status, orchestrate instances from Landscape and manage their lifecycle. It is mostly used in corporate environments. A user can perform with the UP4W codebase the following steps: 1. Install the "Ubuntu Pro for WSL" from the Microsoft Store 2. Using the minimalist UI or the Windows Registry to attach an Ubuntu Pro token 3. Registering the WSL instances in Ubuntu Pro and Landscape 4. Verifying the status of the Ubuntu Pro token by using the `pro` client inside the WSL instance, the Landscape client, or the Windows UP4W GUI. Useful resources to understand the bigger picture are [the landing page](https://ubuntu.com/desktop/wsl), [repository](https://github.com/canonical/ubuntu-pro-for-wsl), [public documentation](https://canonical-ubuntu-pro-for-wsl.readthedocs-hosted.com/en/la test/#), and Canonical-specific specifications (WS0{25,27,28,31}). The Windows agent can be installed on Windows via [the Microsoft Store](https://apps.microsoft.com/detail/9pdxgncfsczv?rtc=1&hl=fr-ch&gl=CH). It achieves the Windows-specific tasks of the UP4W infrastructure (such as getting the subscription status from the Microsoft Store and setting the registries' values), but will not be covered in this review. [Its implementation](https://github.com/canonical/ubuntu-pro-for-wsl/tree/main/window s-agent) can also be found on GitHub. `wsl-pro-service` is a component of the UP4W Windows and Ubuntu infrastructure owned by the Desktop team. It is meant to be a bridge between the `ubuntu-wsl` API (interfacing the Windows host with the Ubuntu WSL instance). It is implemented with a `systemd` service and a minimalistic CLI tool for Bash completion and version retrieval. The upstream codebase is in [the `wsl-pro-service` folder of the aforementioned repository](https://github.com/canonical/ubuntu-pro-for-wsl/tree/main/wsl-pro-se rvice). - CVE History - As this is new software (still in testing), there is no CVE assigned to it. - Build-Depends - The build process uses only the Debian toolchain, `debhelper` extensions for Go and `apport` crash reporting, and the Go toolchain. - Other dependencies - The relevant Debian dependencies used when operating the service are: - `ubuntu-advantage-tools`, which is required for its Ubuntu Pro CLI client; and - An optional `landscape-client`. - The package vendors Go dependencies, which violate the Debian policy. - These are updated by the upstream using a GHA called `update-workspace-dependencies`, which is integrated into the `auto-updates.yaml` workflow. - In addition, the repository has GitHub's Dependabot set. - pre/post inst/rm scripts - The scripts are standard, as generated by `dh_installsystemd`. - init scripts - N/A - systemd units - There is a `systemd` unit called `wsl-pro-service` that runs `/usr/libexec/wsl-pro-service -vv` as `root`. - The service also leverages multiple `systemd` configuration directives to confine itself as much as possible. - dbus services - N/A - setuid binaries - N/A - binaries in PATH - N/A - sudo fragments - N/A - polkit files - N/A - udev rules - N/A - unit tests / autopkgtests - Each Go module is tested accordingly. - The testing coverage is reported by [Codecov](https://app.codecov.io/gh/canonical/ubuntu-pro-for-wsl) to be 87%. - These tests are also integrated into `autopkgtests`. - cron jobs - N/A - Build logs - N/A - Processes spawned - Because of the lack of other IPC methods with other involved binaries, the service delegates operations to other binaries: - `pro` for attaching and detaching Ubuntu Pro tokens; - `wslinfo` for getting information about the WSl instance; - `landscape-config` for manipulating the Landscape configuration; and - `wslpath` for Windows-Linux path translations. - The binaries are specified by name, so they will be searched in `$PATH`. As the service runs as `root`, there is no risk of path hijacking. - The commands are built by explicitly specifying the executables (hard-coded) and their arguments. No instance of command injection was found during this review. - Memory management - N/A - File IO - The service operates with the following files: - `/etc/os-release` for obtaining the OS release; - `/etc/resolve.conf` for obtaining the configured DNS server; - `/proc/net/route` for getting the default gateway; - `/etc/landscape/client.conf` as the Landscape configuration file; - `/etc/landscape/client.conf.new` as the temporary Landscape configuration file; - `$USER_PROFILE/.address` for the address (`<host>:<port>`) of the gRPC server created by [the Windows service](https://github.com/canonical/ubuntu-pro-for-wsl/blob/main/windows-agent /internal/daemon/daemon.go#L34]; and - `$USER_PROFILE/.ubuntupro` for the sharing of data between components. - Paths are constructed with `pathlib.Join`, which is prone to path traversal when not used with `pathlib.Clear`. This is the case in the codebase, but all paths are static. - The temporary Landscape configuration has invalid permissions. The full description of the issue can be found in [a previous Launchpad bug](https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/comm ents/2). The issue was patched in the meantime in [this GitHub PR](https://github.com/canonical/ubuntu-pro-for-wsl/pull/700). - Logging - The service uses logging with different logging levels. - 4 characters of the Ubuntu Pro token are logged for traceability reasons, but there is no security risk in this because the token has 30 alphanumerical characters. - The key-value pairs of the Landscape configuration file are logged. This is not a secure default. The full description can be found in [a GitHub issue](https://github.com/canonical/ubuntu-pro-for-wsl/issues/635). A patch was released after creating the issue. - Environment variable usage - Only two trusted environment variables are used: - `GOPRIVATE` specifies which modules should be considered private. - `WSL_DISTRO_NAME` may specify the distribution name running inside the WSL environment. - Use of privileged functions - N/A - Use of cryptography / random number sources etc - See the networking section below. - No RNGs are used as cryptographic seed generators. - Use of temp files - N/A - Use of networking - gRPC and Protocol Buffers are used to communicate with the Windows agent. - No privileged port is exposed. - The gRPC communication doesn't use encryption or authorisation. The full description of the issue can be found in [a previous Launchpad bug](https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/comm ents/2). - Use of WebKit - N/A - Use of PolicyKit - N/A - Any significant cppcheck results - N/A - Any significant Coverity results - N/A - Any significant shellcheck results - N/A - Any significant bandit results - N/A - Any significant govulncheck results - The Desktop Team has [an `go-sanity` action defined in one of its repositories](https://github.com/canonical/desktop-engineering/blob/main/gh-acti ons/go/code-sanity/action.yaml#L207). The action is used in the `ubuntu-pro-for-wsl` repository in [the QA workflow](https://github.com/canonical/ubuntu-pro-for-wsl/blob/073a88e5f022f806d 18032a5e2263a7f4c60ca43/.github/workflows/qa.yaml#L71). An example run of Govulncheck is [here](https://github.com/canonical/ubuntu-pro-for-wsl/actions/runs/8139999190/j ob/22244334862). - There is no reported warning. - All `nosec:gosec` comments were checked. The single concern was regarding the aforementioned permissions of `/etc/landscape/landscape.conf.new`. - Any significant Semgrep results - The WSL instance can be eventually tricked into executing commands inside the Windows host. The full description can be found in [a GitHub issue](https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/co mments/2). - A negative port may be returned by `net.SplitHostPort`, leading to undefined behaviour. The full description can be found in [a GitHub issue](https://github.com/canonical/ubuntu-pro-for-wsl/issues/629). A patch was released after creating the issue. - A crash may happen if an IPv6 address is configured in the `/etc/resolv.conf` file. The full description can be found in [a GitHub issue](https://github.com/canonical/ubuntu-pro-for-wsl/issues/622). A patch was released after creating the issue. - Goroutine leaks in `internal/daemon/daemon.go`, a command injection in the `wslpath`, and a reflection by name in `internal/grpc/logconnections/logconnections.go` were also reported. The manual investigation invalidated them. The issues identified during this review were reported, and the majority of them were patched. The insecure gRPC communication is not currently patched, and the command execution is not validated. Based on conversation with the owning team, those issues will undoubtedly be addressed, therefore an acknowledgement can be provided beforehand for enabling the promotion of the package before beta freeze. Security team ACK for promoting `wsl-pro-service` to main. Thanks! ** Bug watch added: github.com/canonical/ubuntu-pro-for-wsl/issues #635 https://github.com/canonical/ubuntu-pro-for-wsl/issues/635 ** Bug watch added: github.com/canonical/ubuntu-pro-for-wsl/issues #629 https://github.com/canonical/ubuntu-pro-for-wsl/issues/629 ** Bug watch added: github.com/canonical/ubuntu-pro-for-wsl/issues #622 https://github.com/canonical/ubuntu-pro-for-wsl/issues/622 ** Changed in: wsl-pro-service (Ubuntu Noble) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Changed in: wsl-pro-service (Ubuntu Noble) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052495 Title: [MIR] wsl-pro-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
