[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Just noticed in $HOME/.xsession-errors the following: (polkit-gnome-authentication-agent-1:4029): polkit-gnome-1-WARNING **: 15:04:54.498: Failed to register client: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
And this is the same output using the 'correct' scenario by logging into the TTY console first. cmdline: -bash Tgid: 3516 Ngid: 0 Pid:3516 PPid: 3488 TracerPid: 0 Uid:1000100010001000 Gid:1000100010001000 Groups: 0 4 6 7 20 24 25 27 29 44 46 100 108 114 132 134 134 137 142 1000 NStgid: 3516 NSpid: 3516 NSpgid: 3516 NSsid: 3516 cmdline: -tmux Tgid: 3488 Ngid: 0 Pid:3488 PPid: 1 TracerPid: 0 Uid:1000100010001000 Gid:1000100010001000 Groups: 0 4 6 7 20 24 25 27 29 44 46 100 108 114 132 134 134 137 142 1000 NStgid: 3488 NSpid: 3488 NSpgid: 3488 NSsid: 3488 cmdline: /sbin/init Tgid: 1 Ngid: 0 Pid:1 PPid: 0 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 Groups: NStgid: 1 NSpid: 1 NSpgid: 1 NSsid: 1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Just noticed the PID tree trace didn't match on the Group: from
proc/$PID/status. Here's the corrected output.
$ pid=$BASHPID; while [[ $pid -ne 0 ]]; do ids=$(grep
'^\(.*id:\|Group\)' /proc/$pid/status); echo -e "cmdline: $(cat
/proc/$pid/cmdline) \n $ids" 2>/dev/null; pid=$(echo $ids | awk '{print
$8}'); done
cmdline: -bash
Tgid: 3610
Ngid: 0
Pid:3610
PPid: 3548
TracerPid: 0
Uid:1000100010001000
Gid:1000100010001000
Groups:
NStgid: 3610
NSpid: 3610
NSpgid: 3610
NSsid: 3610
cmdline: tmux
Tgid: 3548
Ngid: 0
Pid:3548
PPid: 1
TracerPid: 0
Uid:1000100010001000
Gid:1000100010001000
Groups:
NStgid: 3548
NSpid: 3548
NSpgid: 3548
NSsid: 3548
cmdline: /sbin/init
Tgid: 1
Ngid: 0
Pid:1
PPid: 0
TracerPid: 0
Uid:0 0 0 0
Gid:0 0 0 0
Groups:
NStgid: 1
NSpid: 1
NSpgid: 1
NSsid: 1
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1784964
Title:
Regression due to CVE-2018-1116 (processes not inheriting user's
groups )
Status in policykit-1 package in Ubuntu:
Confirmed
Bug description:
This report is tracking a possible regression caused by the recent
CVE-2018-1116 patches to policykit-1.
On 18.04, since package upgrades on July 23rd, and after the first
reboot since then on Aug 1st, I hit an issue with the primary (sudo,
adm, etc...) user getting Permission Denied trying to do:
tail -f /var/log/syslog
when that file is owned by syslog:adm and is g=r.
I then found that "groups" reports only the $USER and not the entire
list, but "groups $USER" reports all the groups correctly.
The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g
default-shell /bin/bash"
After changing the user's shell back to /bin/bash and logging in on
tty1 the list of groups shows correctly for the /bin/bash process
running on tty1.
I investigated and found that for the affected processes, such as the
tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash
process on tty1 correctly reported 1000. The same with the respective
gid_map and uid_map.
4294967295 == -1 == 0x
The recent CVE patch to policykit has several functions where it does
"uid = -1" which seems to tie in to my findings so far.
I also noticed Ubuntu is still based on version 0.105 which was
released in 2012 - upstream released 0.115 with the CVE patch.
I suspect the backporting has missed something.
The Ubuntu backport patch is:
https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu
/bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Marc: regular stand-alone install, local authentication via
passwd/shadow/group.
Here's what I see with the 'broken' sequence GUI terminal:
tj ~ id
uid=1000(tj) gid=1000(tj) groups=1000(tj)
tj ~ groups
tj
tj ~ groups $USER
tj : tj root adm disk lp dialout cdrom floppy sudo audio video plugdev users
netdev lpadmin kvm libvirtd wireshark lxd libvirtd
$ pid=$BASHPID; while [[ $pid -ne 0 ]]; do ids=$(grep
'^([P]*id\|.*id:\|Groups:)' /proc/$pid/status); echo -e "cmdline: $(cat
/proc/$pid/cmdline) \n $ids" 2>/dev/null; pid=$(echo $ids | awk '{print $8}');
done > Hacking/bug-groups-parent-process-tree.log
cmdline: -bash
Tgid: 3610
Ngid: 0
Pid:3610
PPid: 3548
TracerPid: 0
Uid:1000100010001000
Gid:1000100010001000
NStgid: 3610
NSpid: 3610
NSpgid: 3610
NSsid: 3610
cmdline: tmux
Tgid: 3548
Ngid: 0
Pid:3548
PPid: 1
TracerPid: 0
Uid:1000100010001000
Gid:1000100010001000
NStgid: 3548
NSpid: 3548
NSpgid: 3548
NSsid: 3548
cmdline: /sbin/init
Tgid: 1
Ngid: 0
Pid:1
PPid: 0
TracerPid: 0
Uid:0 0 0 0
Gid:0 0 0 0
NStgid: 1
NSpid: 1
NSpgid: 1
NSsid: 1
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1784964
Title:
Regression due to CVE-2018-1116 (processes not inheriting user's
groups )
Status in policykit-1 package in Ubuntu:
Confirmed
Bug description:
This report is tracking a possible regression caused by the recent
CVE-2018-1116 patches to policykit-1.
On 18.04, since package upgrades on July 23rd, and after the first
reboot since then on Aug 1st, I hit an issue with the primary (sudo,
adm, etc...) user getting Permission Denied trying to do:
tail -f /var/log/syslog
when that file is owned by syslog:adm and is g=r.
I then found that "groups" reports only the $USER and not the entire
list, but "groups $USER" reports all the groups correctly.
The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g
default-shell /bin/bash"
After changing the user's shell back to /bin/bash and logging in on
tty1 the list of groups shows correctly for the /bin/bash process
running on tty1.
I investigated and found that for the affected processes, such as the
tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash
process on tty1 correctly reported 1000. The same with the respective
gid_map and uid_map.
4294967295 == -1 == 0x
The recent CVE patch to policykit has several functions where it does
"uid = -1" which seems to tie in to my findings so far.
I also noticed Ubuntu is still based on version 0.105 which was
released in 2012 - upstream released 0.115 with the CVE patch.
I suspect the backporting has missed something.
The Ubuntu backport patch is:
https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu
/bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Marc: Are you using gdm to log into the graphical session? lightdm - this is Xubuntu -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
I am beginning to suspect this is an systemd-logind issue. I've been thinking it's logind but just checked the upgrade packages to/from versions and cross-checked against the changelogs. ? systemd:amd64 (237-3ubuntu10, 237-3ubuntu10.3), And we have a major change to logind included in that: systemd (237-3ubuntu10.2) bionic; urgency=medium * logind: backport v238/v239 fixes for handling DRM devices. These changes introduce all the fixes that correct handling of open fd's related to the DRM devices, as used by for example NVIDIA GPUs. This backport includes some refactoring, corrections, and comment updates. This to insure that correct history is preserved, code comments match reality, and to ease backporting logind fixes in the future SRUs. (LP: #1777099) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
I experience this same behaviour using lightdm + KDE plasma. I've also tested lightdm + unity which did not trigger this behaviour. This install uses local passwd/shadow/group files. Both tests were after a fresh boot. harm@harm-XPS-13-9360:~$ lsb_release -a; cat /proc/version No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 18.04.1 LTS Release:18.04 Codename: bionic Linux version 4.15.0-29-generic (buildd@lgw01-amd64-057) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 harm@harm-XPS-13-9360:~$ groups; groups $(whoami) harm harm : harm adm dialout cdrom sudo dip plugdev netdev lpadmin sambashare libvirt docker harm@harm-XPS-13-9360:~$ id; id $(whoami) uid=1000(harm) gid=1000(harm) groups=1000(harm) uid=1000(harm) gid=1000(harm) groups=1000(harm),4(adm),20(dialout),24(cdrom),27(sudo),30(dip),46(plugdev),109(netdev),113(lpadmin),128(sambashare),135(libvirt),999(docker) harm@harm-XPS-13-9360:~$ cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd group: compat systemd shadow: compat gshadow:files
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Are you using local passwd/shadow/group files, or are you authenticating using something else? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
What's the output of "id" in a broken shell? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
I think this Debian-reported bug is closely related. The description certainly sounds very like what I've experienced so far. I'm not linking it to this bug report until any relationship is clearer. "policykit-1: please treat background processes (user bus) as part of active GUI session" https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779988 ** Bug watch added: Debian Bug tracker #779988 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779988 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
/proc/*/loginuid is set by the pam_loginuid module when you login. Policykit isn't involved in that process at all. Are you using gdm to log into the graphical session? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
** Summary changed: - Regression due to CVE-2018-1116 (processes not inheriting user ID or groups ) + Regression due to CVE-2018-1116 (processes not inheriting user's groups ) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
