Your message dated Sat, 10 Feb 2018 03:35:37 +0000
with message-id <e1eklwv-0009fm...@fasolo.debian.org>
and subject line Bug#889098: fixed in procps 2:3.3.12-4
has caused the Debian Bug report #889098,
regarding enforce fs.protected_hardlinks in sysctl.d by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
889098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889098
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: procps
Version: 2:3.3.12-3
Severity: normal
Tags: security
Following the disclosure of CVE-2017-18078, there was an elaborate
discussion on the #debian-devel and #debian-security IRC channels
regarding the scope of the vulnerability. It was then realized that
the impact of this was broader than just systemd: any time a command
like `chown -R` is ran over an untrusted directory, by root, the same
problem occurs.
This is of course mitigated by the fs.protected_hardlinks kernel
configuration, which is enforced through a patch on all the official
Debian kernels distributed by Debian, including in wheezy. See for
example:
https://sources.debian.org/src/linux/3.16.7-ckt20-1+deb8u3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/
https://sources.debian.org/src/linux/4.14.13-1/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/
There are, however, people *not* running Debian-built kernels, and
sometimes for good reasons. This is a configuration that we should
still support.
Therefore, it seems to me we should enable this more broadly, for
example in /etc/sysctl.d/protected-hardlinks.conf. Configuring this in
user space is actually what is recommended by Linus Torvalds and the
upstream Linux kernel:
https://github.com/torvalds/linux/commit/561ec64ae67ef25cac8d72bb9c4bfc955edfd415
systemd ships this configuration as well, but this was deliberately
removed from Debian's systemd configuration:
https://salsa.debian.org/systemd-team/systemd/commit/3e1bfe0d84545557d268c1293fff0d5f3db3b5c7
I agree with the above perspective: systemd is not sufficient to
resolve that issue. We still have other init systems and we shouldn't
fix this in systemd, but in a broader package. This is why I am
proposing to fix this in procps, which ultimately owns /etc/sysctl.d/
(and /etc/sysctl.conf).
This is not a strong position: if people think this belongs in systemd
more than procps, or there is some more relevant place this can be
done *by default*, let's do it there and not quibble over that
peculiar bikeshed. :)
I would suggest adding the following configuration:
# Enable hard link protection
fs.protected_hardlinks = 1
Note that the original systemd config also enables softlink
protection:
https://salsa.debian.org/systemd-team/systemd/blob/master/sysctl.d/50-default.conf
I'm not sure if that's also relevant here so I'd keep this to
hardlinks for now to avoid unnecessary debate.
Incidentally, I wonder if we should remove the patch we have on the
Debian kernels to change the defaults, and instead rely on the
sysctl. I have added the kernel team in CC to have their input.
Thanks!
--- End Message ---
--- Begin Message ---
Source: procps
Source-Version: 2:3.3.12-4
We believe that the bug you reported is fixed in the latest version of
procps, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 889...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csm...@debian.org> (supplier of updated procps package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 Feb 2018 10:59:11 +1100
Source: procps
Binary: procps libprocps6 libprocps-dev
Architecture: source amd64
Version: 2:3.3.12-4
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Craig Small <csm...@debian.org>
Description:
libprocps-dev - library for accessing process information from /proc
libprocps6 - library for accessing process information from /proc
procps - /proc file system utilities
Closes: 882121 889098
Changes:
procps (2:3.3.12-4) unstable; urgency=medium
.
* Add sysctl configuration file to protect hard and soft links
This mitigates CVE-2017-18078 on non-Debian kernels Closes: #889098
* Update Vcs to Salsa
* Update notes about sysrq Closes: #882121
* Update standards to 4.1.3
Checksums-Sha1:
1b7e53ba40ad9a1c6568b116a94b9b39348e783a 2127 procps_3.3.12-4.dsc
317a46d0602f0c9fc1d2fb3532078d0bca887fba 27988 procps_3.3.12-4.debian.tar.xz
36590d4bd6f0afa1b53bf598bfb5ed0482171b78 70172 libprocps-dev_3.3.12-4_amd64.deb
14e33a52ce4e0f070e529ec39946edf8f39565ac 74028
libprocps6-dbgsym_3.3.12-4_amd64.deb
998080d419a38999da571ee5a2813a3814c51ca3 58460 libprocps6_3.3.12-4_amd64.deb
56ad3d5d8d771a58469c0505530df0c8c062e7fc 350696
procps-dbgsym_3.3.12-4_amd64.deb
8e1a86603670011732a21324e221e12f1778f00a 6847 procps_3.3.12-4_amd64.buildinfo
a09c43e4c343cc040ff8ffc970868439d099aaa8 251160 procps_3.3.12-4_amd64.deb
Checksums-Sha256:
0e643e0ef86d77bd0465cebb0c8f66ffaf9ade1f7a34603242bacc2a25c8b359 2127
procps_3.3.12-4.dsc
1fc7c5bb257f9123e759b751d400f761b6d248bfe9be6623f01d9afd6c328440 27988
procps_3.3.12-4.debian.tar.xz
dafe60a7d7b0ee22ff7873d64c20271fda212352b0cfcc8b9785aefd091466c8 70172
libprocps-dev_3.3.12-4_amd64.deb
60583bcc5d43fc398b74b9fe886d3f4cbc86624d0f2bbfdac20afd209850524d 74028
libprocps6-dbgsym_3.3.12-4_amd64.deb
b4e0d19eff18e097f54c572cc4c3ea8b50ccdf22a9bc29bd0f6c66057a4b3aee 58460
libprocps6_3.3.12-4_amd64.deb
c36fd8b2205e14e49023b3e36c959ff6b8e760d9ccc8e0a9c257ca9bab252f07 350696
procps-dbgsym_3.3.12-4_amd64.deb
06beb6fa8c890909c16b6a3af536d195f5762217fd12b283e0fc9173d91f9e82 6847
procps_3.3.12-4_amd64.buildinfo
9281285cd8e27174032919e2c195fdea558f28a62b1f9305fd7050d1433bce0d 251160
procps_3.3.12-4_amd64.deb
Files:
335164e6890e7e070280f30854a7a392 2127 admin optional procps_3.3.12-4.dsc
38d668f2849632beee910b8c51be8943 27988 admin optional
procps_3.3.12-4.debian.tar.xz
ce4daf33ce87e34479ae9bd30161ff60 70172 libdevel optional
libprocps-dev_3.3.12-4_amd64.deb
1106f0b99e79a0723c69d1a7faa48192 74028 debug optional
libprocps6-dbgsym_3.3.12-4_amd64.deb
341ecf395585fca3018ed4a8a8120721 58460 libs optional
libprocps6_3.3.12-4_amd64.deb
c61577b2d1d47606194d0300d37cfbe1 350696 debug optional
procps-dbgsym_3.3.12-4_amd64.deb
4d24047326eac803bf4c84d4610880c1 6847 admin optional
procps_3.3.12-4_amd64.buildinfo
357ef743bf0ebbbc8a5d025fa9e1e2c0 251160 admin important
procps_3.3.12-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAlp+YasACgkQAiFmwP88
hOOrkg/9HQ9UZI+feo1YwqPKthuTjwOgVViTyWrVZZgQh30Y06aQVl+valq/umzZ
U/x4x2QG4gGSbEzzWvhNjhj/bQ3fNIPItF0mDab8goErfcq2Xr+eZKjfSNrTh+C8
cpual0vd1yDv74ys6JTP3DxiGiackfSCSwclvOFF+Iq91YHCA1nCs7ZNbjQ56ikB
yQ0d/+9ySMPWzlOAMTE7AM8oIgIcN6Rl44UGnoGTQet5x0y92BVM0Xi1Cb0vo0fO
4pbluqe+YHAbtGzDB9QpVkmAsWqoHOpCF25hbSC7jfXXFkU85Iu3fzXptlfmES7R
Hl9uz5rrhq0jBXAxm9t3hMX71zuFF6lukA+vJ2YCgDqh1v49aUbd5187hCFtvmsq
DQda1K0jSrKUqKCqznca+NZskj6ZfgVIb7Ls/oRDnUGTt+mt9LMMO09V2VJWTzz1
gpFv/1cyz3Etw0wRKwoeGbDdSmmIm3O1paJF0mINhfagP8hTbZULqkNNzRFkehm/
0gbfHz44IRDLaqcWYx7/6yxYJfky9km65r344GW5UGrgIeOax+ONiXAIUCO7mvvC
Y1+R3htWNmGfxGDetWhAlv9DdyEoSvlWU4l3HTjtMu0E1KIB9I8R9Wz4PbqVat69
7ykQTokfLWA6YV32enFyf30SE6jdGcmZ0x/c2wkgWCbZx+R4Zxs=
=BeTS
-----END PGP SIGNATURE-----
--- End Message ---
