>> On 11/27/2017 10:34 PM, Colony.three wrote: >> >>>> ExecStartPre=/bin/chown -R spamd:spamd /run/spamassassin >>>> >>>> There's a root exploit for the "spamd" user in that last line. Assuming >>>> you got the tmpfiles.d thing working, you should delete those >>>> ExecStartPre commands. >>> >>> Can you explain further please? >>> If this is true, someone should tell Red Hat that their >>> /usr/lib/systemd/system/spamass-milter-root.service has the same problem. >>> >>> On 28.11.17 09:03, Michael Orlitzky wrote: >>> The "chown" command follows both symlinks and hardlinks by default. >>> >>> to be more precise, there is nothing like "following hard links" because >>> hard links are "the" files. >>> >>> When used with the "-R" flag, it only follows hardlinks, >>> >>> it recurses into /run/spamassassin, handling all files and directories >>> there, not following symlinks. >>> >>> but that can still >>> be abused by the "spamd" user. The first time "chown -R" gets executed, >>> you give ownership of /run/spamassassin to the "spamd" user. The second >>> (and third, ...) time that the service is started, the "spamd" user owns >>> that directory and can place a hard link in it pointing to a root-owned >>> file. The "chown" call will then give root's file to the "spamd" user. >>> >>> The simple workaround is to avoid the "-R" flag. in fact, we only need it >>> when we create /run/spamassassin so it gets owned by spamd. >>> >>> The exploit is trickier in this case because /run is on a tmpfs, and >>> because hard links can't cross filesystem boundaries. But I would bet >>> that you have something else sensitive in /run that can be used to gain >>> root.
Interesting, thanks guys. I'd added the chown because I thought I needed it, but have now found that it's entirely unnecessary. (Someone should let RedHat know about their milter.service though -- I tried but can't get signed up for Bugzilla) FWIW here's what I think RedHat's spamassassin.service -should- look like. Works perfectly, unlike RedHat's version which does not create the socket directory, nor have Nice, nor security . [Unit] Description=Spamassassin daemon After=syslog.target network.target PartOf=spamassassin-update.service [Service] Type=forking EnvironmentFile=-/etc/sysconfig/spamassassin ExecStartPre=-/sbin/portrelease spamd # Create socket directory: RuntimeDirectory=spamassassin RuntimeDirectoryMode=770 ExecStart=/usr/bin/spamd --pidfile /run/spamassassin/spamd.pid $SPAMDOPTIONS Nice=5 StandardOutput=syslog StandardError=syslog Restart=always # Security PrivateTmp=yes InaccessibleDirectories=/bin /boot /home /media /mnt /opt /root /sbin /sys ReadOnlyDirectories=/lib /lib64 /usr CapabilityBoundingSet=~CAP_SYS_PTRACE DeviceAllow=/dev/null rw NoNewPrivileges=yes [Install] WantedBy=multi-user.target
