Bug#989049: debspawn: privilege escalation via uid reuse
Hi, On Tue, May 25, 2021 at 06:46:33PM +0200, Matthias Klumpp wrote: > Am Di., 25. Mai 2021 um 13:21 Uhr schrieb Salvatore Bonaccorso > : > > [...] > > > > > > Can you please elaborate on why you reopened this issue? I believe it > > > has indeed been addressed with version 0.4.2-1, there is no more uid > > > reuse for the build user and Debspawn will pick a free uid that is not > > > in use on the host system for building packages. > > > > The reason ist very simple, because I messed up the 'found' version :) > > Ah, that makes sense - at least it got be to take another look at the > patch that fixed this to look for issues, which is never a bad thing > :-) heh, okay then it at least had still a positive effect =) But yes I should have been defintively more careful when trying to add the metadata instead of confusing my Debian collegues! Regards, Salvatore
Bug#989049: debspawn: privilege escalation via uid reuse
Am Di., 25. Mai 2021 um 13:21 Uhr schrieb Salvatore Bonaccorso : > [...] > > > > Can you please elaborate on why you reopened this issue? I believe it > > has indeed been addressed with version 0.4.2-1, there is no more uid > > reuse for the build user and Debspawn will pick a free uid that is not > > in use on the host system for building packages. > > The reason ist very simple, because I messed up the 'found' version :) Ah, that makes sense - at least it got be to take another look at the patch that fixed this to look for issues, which is never a bad thing :-) Cheers, Matthias -- I welcome VSRE emails. See http://vsre.info/
Bug#989049: debspawn: privilege escalation via uid reuse
Hi, On Tue, May 25, 2021 at 10:32:36AM +0200, Matthias Klumpp wrote: > Hi Salvatore! > > Am Di., 25. Mai 2021 um 06:51 Uhr schrieb Debian Bug Tracking System > : > > > > Processing commands for cont...@bugs.debian.org: > > > > > found 989049 0.4.2-1 > > Bug #989049 {Done: Matthias Klumpp } [debspawn] debspawn: > > privilege escalation via uid reuse > > There is no source info for the package 'debspawn' at version '0.4.2-1' > > with architecture '' > > Unable to make a source version for version '0.4.2-1' > > Marked as found in versions 0.4.2-1; no longer marked as fixed in versions > > debspawn/0.4.2-1 and reopened. > > > thanks > > Stopping processing here. > > Can you please elaborate on why you reopened this issue? I believe it > has indeed been addressed with version 0.4.2-1, there is no more uid > reuse for the build user and Debspawn will pick a free uid that is not > in use on the host system for building packages. The reason ist very simple, because I messed up the 'found' version :) I will fix that up in a minute. Regards, Salvatore
Bug#989049: debspawn: privilege escalation via uid reuse
Hi Salvatore! Am Di., 25. Mai 2021 um 06:51 Uhr schrieb Debian Bug Tracking System : > > Processing commands for cont...@bugs.debian.org: > > > found 989049 0.4.2-1 > Bug #989049 {Done: Matthias Klumpp } [debspawn] debspawn: > privilege escalation via uid reuse > There is no source info for the package 'debspawn' at version '0.4.2-1' with > architecture '' > Unable to make a source version for version '0.4.2-1' > Marked as found in versions 0.4.2-1; no longer marked as fixed in versions > debspawn/0.4.2-1 and reopened. > > thanks > Stopping processing here. Can you please elaborate on why you reopened this issue? I believe it has indeed been addressed with version 0.4.2-1, there is no more uid reuse for the build user and Debspawn will pick a free uid that is not in use on the host system for building packages. Cheers, Matthias -- I welcome VSRE emails. See http://vsre.info/
Bug#989049: debspawn: privilege escalation via uid reuse
Package: debspawn Severity: serious Justification: security hole Tags: security When building a package using debspawn, it dynamically allocates a system user that is used to perform the build. Since system users are allocated sequentially, the chosen uid is very likely to collide with a uid outside the nspawn container. This enables two possible privilege escalations: * If an unprivileged user is entitled to perform builds via debspawn, she gains privileges of the build uid inside the container and this is an expected part of the security model of debspawn. However that same uid is very likely used outside of the container for a different purpose (usually a system daemon). A number of resources are shared between the outer os and the container despite being separated by a pid namespace. For instance, resource limits are shared. It is very likely that a privilege escalation from the build user inside the container to the service user (with same uid) is possible. The culprit here is the accidental sharing of uids for two different purposes. * Likewise, the privilege escalation works in the other direction. The service that shares its uid with the build user can simply kill build processes with any signal or change arbitrary files in the build tree. Again, it is the sharing of a uid that enables this. I basically see two options for fixing this: * The build user is forced to use a uid that is not allocated elsewhere. pbuilder follows this approach and fixes a uid that is not normally allocated. * A user namespace would remap the uid space inside the container to a high, private uid range. While the build uid inside the container would equal a system user outside, the namespace would still separate them. FD: Initial disclosure to Matthias and the security team happened on May 11th. Both agreed to publish the issue. Helmut