On Thu, Mar 28, 2024 at 12:28:56AM -0400, Lee wrote:
> On Wed, Mar 27, 2024 at 10:07 PM Andy Smith wrote:
> >
> > Hi,
> >
> > On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> > > I just saw this advisory
> > > Escape sequence injection in util-linux wall (CVE-2024-28085)
> > > https://seclists.org/fulldisclosure/2024/Mar/35
> > > where they're talking about grabbing other users sudo password.
> >
> > It doesn't work by default on Debian as it relies on
> > command-not-found automatically running on the user's input.
> > command-not-found can be installed, however…
> >
> > > oof. Are there instructions somewhere on how to make Debian secure by
> > > default?
> >
> > Between the fact that "secure" means different things to different
> > people and that this advisory was only released a few hours ago, I
> > don't think you can reasonably expect documentation to already be
> > published for your standard of "secure".
>
> You snipped the bit from the man page about users becoming more more
> conscious of various security risks & removing write access by
> default.
It's just an opinion by the author of the man page.
I'm just not sure that you'll find any "hardening" guide that will
specifically say "disable writing to your terminal as there might be
a bug in a binary that is setgid tty" before yesterday's reveal that
there is such a bug in "wall".
The more general advice to audit every setuid/setgid binary is more
likely to be present.
> Considering how long it takes something to migrate into stable I'm
> guessing that man page is pretty old. So I don't think it's
> unreasonable to expect some kind of secure by default installation
> option.
I wouldn't be surprised if the man page is 10 years old. Linux
distributions do not tend to be that internally consistent. Lots of
weird things get put into man pages by their authors and
distributions don't always feel obliged to obey all of them;
sometimes they are even conflicting between each other.
Things are more coherent in BSD land, where the base system is
developed alongside the kernel, by the same people.
I do agree with you though that "mesg n" would be a much better
default and it's a shame we worked that out by seeing a ten year old
bug revealed.
It might be worth submitting a wishlist bug to Debian. I'm not
entirely sure of which package but I suppose "util-linux" would make
sense since that's where "mesg" comes from. It could ask for a shell
snippet in profile.d to set the default to "n" in the name of
security, and reference this CVE.
If the maintainer of util-linux doesn't agree, then the next thing
I'd try is a bug against the Debian Administrator's Handbook:
https://www.debian.org/doc/manuals/debian-handbook/
This has a chapter on security, so possibly it would be appropriate
to mention "m,esg n" there.
> > As you've never heard of "mesg" and probably don't use "wall" I
> > doubt you will have any issues chmod 0 /usr/bin/wall and then
> > setting it immutable¹ with chattr +i.
>
> I suppose that's one way. I'd rather uninstall it.
Problem is it's part of "bsdutils" so that would uninstall the whole
package and all its other tools.
A divert (man dpkg-divert) ciuld be used to remove the binary, but I
prefer chmod 0 and immutable as a less drastic approach.
There is also the issue that the user's terminal remains writeable by
processes in "tty" group - all that's been achieved is to stop one
program that has a known bug from doing so. There could be others,
and we've established that most users probably do not want or need
other users to write to their terminals. So "mesg n" is still a good
idea.
Thanks,
]Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
