On 11/27/2017 10:34 PM, Colony.three wrote:
ExecStartPre=/bin/chown -R spamd:spamd /run/spamassassin
There's a root exploit for the "spamd" user in that last line. Assuming
you got the tmpfiles.d thing working, you should delete those
ExecStartPre commands.
Can you explain further please?
If this is true, someone should tell Red Hat that their
/usr/lib/systemd/system/spamass-milter-root.service has the same problem.
On 28.11.17 09:03, Michael Orlitzky wrote:
The "chown" command follows both symlinks and hardlinks by default.
to be more precise, there is nothing like "following hard links" because
hard links are "the" files.
When used with the "-R" flag, it only follows hardlinks,
it recurses into /run/spamassassin, handling all files and directories
there, not following symlinks.
but that can still
be abused by the "spamd" user. The first time "chown -R" gets executed,
you give ownership of /run/spamassassin to the "spamd" user. The second
(and third, ...) time that the service is started, the "spamd" user owns
that directory and can place a hard link in it pointing to a root-owned
file. The "chown" call will then give root's file to the "spamd" user.
The simple workaround is to avoid the "-R" flag. in fact, we only need it
when we create /run/spamassassin so it gets owned by spamd.
The exploit is trickier in this case because /run is on a tmpfs, and
because hard links can't cross filesystem boundaries. But I would bet
that you have something else sensitive in /run that can be used to gain
root.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
