[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Just noticed in $HOME/.xsession-errors the following: (polkit-gnome-authentication-agent-1:4029): polkit-gnome-1-WARNING **: 15:04:54.498: Failed to register client: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
And this is the same output using the 'correct' scenario by logging into the TTY console first. cmdline: -bash Tgid: 3516 Ngid: 0 Pid:3516 PPid: 3488 TracerPid: 0 Uid:1000100010001000 Gid:1000100010001000 Groups: 0 4 6 7 20 24 25 27 29 44 46 100 108 114 132 134 134 137 142 1000 NStgid: 3516 NSpid: 3516 NSpgid: 3516 NSsid: 3516 cmdline: -tmux Tgid: 3488 Ngid: 0 Pid:3488 PPid: 1 TracerPid: 0 Uid:1000100010001000 Gid:1000100010001000 Groups: 0 4 6 7 20 24 25 27 29 44 46 100 108 114 132 134 134 137 142 1000 NStgid: 3488 NSpid: 3488 NSpgid: 3488 NSsid: 3488 cmdline: /sbin/init Tgid: 1 Ngid: 0 Pid:1 PPid: 0 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 Groups: NStgid: 1 NSpid: 1 NSpgid: 1 NSsid: 1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Just noticed the PID tree trace didn't match on the Group: from proc/$PID/status. Here's the corrected output. $ pid=$BASHPID; while [[ $pid -ne 0 ]]; do ids=$(grep '^\(.*id:\|Group\)' /proc/$pid/status); echo -e "cmdline: $(cat /proc/$pid/cmdline) \n $ids" 2>/dev/null; pid=$(echo $ids | awk '{print $8}'); done cmdline: -bash Tgid: 3610 Ngid: 0 Pid:3610 PPid: 3548 TracerPid: 0 Uid:1000100010001000 Gid:1000100010001000 Groups: NStgid: 3610 NSpid: 3610 NSpgid: 3610 NSsid: 3610 cmdline: tmux Tgid: 3548 Ngid: 0 Pid:3548 PPid: 1 TracerPid: 0 Uid:1000100010001000 Gid:1000100010001000 Groups: NStgid: 3548 NSpid: 3548 NSpgid: 3548 NSsid: 3548 cmdline: /sbin/init Tgid: 1 Ngid: 0 Pid:1 PPid: 0 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 Groups: NStgid: 1 NSpid: 1 NSpgid: 1 NSsid: 1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Marc: regular stand-alone install, local authentication via passwd/shadow/group. Here's what I see with the 'broken' sequence GUI terminal: tj ~ id uid=1000(tj) gid=1000(tj) groups=1000(tj) tj ~ groups tj tj ~ groups $USER tj : tj root adm disk lp dialout cdrom floppy sudo audio video plugdev users netdev lpadmin kvm libvirtd wireshark lxd libvirtd $ pid=$BASHPID; while [[ $pid -ne 0 ]]; do ids=$(grep '^([P]*id\|.*id:\|Groups:)' /proc/$pid/status); echo -e "cmdline: $(cat /proc/$pid/cmdline) \n $ids" 2>/dev/null; pid=$(echo $ids | awk '{print $8}'); done > Hacking/bug-groups-parent-process-tree.log cmdline: -bash Tgid: 3610 Ngid: 0 Pid:3610 PPid: 3548 TracerPid: 0 Uid:1000100010001000 Gid:1000100010001000 NStgid: 3610 NSpid: 3610 NSpgid: 3610 NSsid: 3610 cmdline: tmux Tgid: 3548 Ngid: 0 Pid:3548 PPid: 1 TracerPid: 0 Uid:1000100010001000 Gid:1000100010001000 NStgid: 3548 NSpid: 3548 NSpgid: 3548 NSsid: 3548 cmdline: /sbin/init Tgid: 1 Ngid: 0 Pid:1 PPid: 0 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 NStgid: 1 NSpid: 1 NSpgid: 1 NSsid: 1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Marc: Are you using gdm to log into the graphical session? lightdm - this is Xubuntu -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
I am beginning to suspect this is an systemd-logind issue. I've been thinking it's logind but just checked the upgrade packages to/from versions and cross-checked against the changelogs. ? systemd:amd64 (237-3ubuntu10, 237-3ubuntu10.3), And we have a major change to logind included in that: systemd (237-3ubuntu10.2) bionic; urgency=medium * logind: backport v238/v239 fixes for handling DRM devices. These changes introduce all the fixes that correct handling of open fd's related to the DRM devices, as used by for example NVIDIA GPUs. This backport includes some refactoring, corrections, and comment updates. This to insure that correct history is preserved, code comments match reality, and to ease backporting logind fixes in the future SRUs. (LP: #1777099) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
I experience this same behaviour using lightdm + KDE plasma. I've also tested lightdm + unity which did not trigger this behaviour. This install uses local passwd/shadow/group files. Both tests were after a fresh boot. harm@harm-XPS-13-9360:~$ lsb_release -a; cat /proc/version No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 18.04.1 LTS Release:18.04 Codename: bionic Linux version 4.15.0-29-generic (buildd@lgw01-amd64-057) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 harm@harm-XPS-13-9360:~$ groups; groups $(whoami) harm harm : harm adm dialout cdrom sudo dip plugdev netdev lpadmin sambashare libvirt docker harm@harm-XPS-13-9360:~$ id; id $(whoami) uid=1000(harm) gid=1000(harm) groups=1000(harm) uid=1000(harm) gid=1000(harm) groups=1000(harm),4(adm),20(dialout),24(cdrom),27(sudo),30(dip),46(plugdev),109(netdev),113(lpadmin),128(sambashare),135(libvirt),999(docker) harm@harm-XPS-13-9360:~$ cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat systemd group: compat systemd shadow: compat gshadow:files
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
Are you using local passwd/shadow/group files, or are you authenticating using something else? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
What's the output of "id" in a broken shell? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
I think this Debian-reported bug is closely related. The description certainly sounds very like what I've experienced so far. I'm not linking it to this bug report until any relationship is clearer. "policykit-1: please treat background processes (user bus) as part of active GUI session" https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779988 ** Bug watch added: Debian Bug tracker #779988 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779988 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
/proc/*/loginuid is set by the pam_loginuid module when you login. Policykit isn't involved in that process at all. Are you using gdm to log into the graphical session? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user's groups )
** Summary changed: - Regression due to CVE-2018-1116 (processes not inheriting user ID or groups ) + Regression due to CVE-2018-1116 (processes not inheriting user's groups ) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due to CVE-2018-1116 (processes not inheriting user's groups ) Status in policykit-1 package in Ubuntu: Confirmed Bug description: This report is tracking a possible regression caused by the recent CVE-2018-1116 patches to policykit-1. On 18.04, since package upgrades on July 23rd, and after the first reboot since then on Aug 1st, I hit an issue with the primary (sudo, adm, etc...) user getting Permission Denied trying to do: tail -f /var/log/syslog when that file is owned by syslog:adm and is g=r. I then found that "groups" reports only the $USER and not the entire list, but "groups $USER" reports all the groups correctly. The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g default-shell /bin/bash" After changing the user's shell back to /bin/bash and logging in on tty1 the list of groups shows correctly for the /bin/bash process running on tty1. I investigated and found that for the affected processes, such as the tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash process on tty1 correctly reported 1000. The same with the respective gid_map and uid_map. 4294967295 == -1 == 0x The recent CVE patch to policykit has several functions where it does "uid = -1" which seems to tie in to my findings so far. I also noticed Ubuntu is still based on version 0.105 which was released in 2012 - upstream released 0.115 with the CVE patch. I suspect the backporting has missed something. The Ubuntu backport patch is: https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp