[This mail is in a public mailing list] Hi Serge, Danila,
On 2026-05-23T09:48:48-0500, Serge E. Hallyn wrote: > Here's the other one that didn't make it to you. I think it was somewhat > low priority and I let it drop off my radar. > > ----- Forwarded message from Danila Khomichenok <[email protected]> > ----- > > Date: Fri, 8 May 2026 18:04:13 +0300 > From: Danila Khomichenok <[email protected]> > To: [email protected], [email protected], [email protected] > Subject: Re: LPE in shadow-utils > > Here is the bug report to Ubuntu: > https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2146812 > > On Fri, May 8, 2026 at 5:39 PM Danila Khomichenok < > [email protected]> wrote: > > > Hello. > > I previously reported a bug in Ubuntu where a user, after being > > removed from a group in /etc/group, could still reuse group > > privileges if the entry was present in gshadow. > > Standard commands like id and groups no longer show the user as > > a member, creating a hidden persistence mechanism. > > > > An attacker with existing low-privileged access could exploit this > > to regain membership in high-impact groups (such as docker, lxd, > > disk, or sudo), leading to local privilege escalation (LPE). Danila, I think this isn't too dangerous, so we should make the report public. Would you mind opening a public bug report on our github? > > The expected behavior is that removal from /etc/group should be > > sufficient to revoke group access entirely. The current > > inconsistency between the two files can mislead administrators and > > create a false sense of security. Hmmm, there's a problem. group(5) and gshadow(5) both specify a members list, and if they disagree, we have a problem: which source should be trusted? One of them? The union? The intersection? Fail if the files don't match? I don't have a good answer. Do you people have any opinions? > > Also, the related commands 'groups' and 'id' do not display > > information about the user's membership in a group, for example > > 'docker', as seen in the screenshot. Since there are various implementations of id(1) and groups(1), including GNU coreutils, I think a bug report should include maintainers of those projects. I've CCd coreutils@ in this email. > > The Ubuntu developers recommended that I contact you about this issue: > > `I don't see any fixes in the upstream shadow repository that look > > like they would fix this behavior. I suggest filing a bug with the > > shadow project and adding it here. Once they have an acceptable fix > > available, we can look into adding it to Ubuntu.' > > > > > > ----- End forwarded message ----- Have a lovely day! Alex -- <https://www.alejandro-colomar.es>
signature.asc
Description: PGP signature
