Hello community, here is the log from the commit of package trousers for openSUSE:Leap:15.2 checked in at 2020-05-29 15:16:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/trousers (Old) and /work/SRC/openSUSE:Leap:15.2/.trousers.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trousers" Fri May 29 15:16:27 2020 rev:14 rq:810121 version:0.3.14 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/trousers/trousers.changes 2020-01-15 16:25:05.448640808 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.trousers.new.3606/trousers.changes 2020-05-29 15:16:32.823149645 +0200 @@ -1,0 +2,10 @@ +Mon May 25 08:55:27 UTC 2020 - Matthias Gerstner <matthias.gerst...@suse.com> + +- fix a potential tss user to root privilege escalation when running tcsd + (bsc#1164472). To do this run tcsd as the 'tss' user right away to prevent + badly designed privilege drop and initialization code to run. +- add bsc1164472.patch: additionally harden operation of tcsd when running as + root. No longer follow symlinks in /var/lib/tpm. Drop gid to tss main group. + require /etc/tcsd.conf to be owned by root:tss mode 0640. + +------------------------------------------------------------------- New: ---- 91-trousers.rules bsc1164472.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trousers.spec ++++++ --- /var/tmp/diff_new_pack.ausZQU/_old 2020-05-29 15:16:33.235150989 +0200 +++ /var/tmp/diff_new_pack.ausZQU/_new 2020-05-29 15:16:33.239151002 +0200 @@ -27,11 +27,14 @@ Source0: http://downloads.sf.net/trousers/%{name}-%{version}.tar.gz Source1: tcsd.service Source2: baselibs.conf +Source3: 91-trousers.rules +Patch1: bsc1164472.patch BuildRequires: gtk2-devel BuildRequires: libtool BuildRequires: openssl-devel BuildRequires: pkg-config BuildRequires: systemd-rpm-macros +BuildRequires: udev # for 'stat' for the hack in %pretrans BuildRequires: coreutils Requires(pre): pwdutils @@ -79,6 +82,7 @@ %prep %setup -q -c %{name}-%{version} +%patch1 -p1 %build CC=gcc @@ -107,6 +111,14 @@ rm -v %{buildroot}/%{_lib}/libtspi.{so,la} mv -v %{buildroot}/%{_lib}/*.a %{buildroot}%{_libdir} +# we want to run tcsd as tss user right away. therefore we need to install a +# suitable udev rule file. this conflicts somewhat with tpm2-0-tss, but both +# rules files are compatible at the moment. trousers has a lower priority than +# tpm2-0-tss in case both should be installed. The tss user is shared between +# both packages anyways already. +mkdir -p %{buildroot}%{_udevrulesdir} +install -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir} + %pre %_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss || : %_bindir/getent passwd tss >/dev/null || \ @@ -139,20 +151,15 @@ %post %service_add_post tcsd.service +%_bindir/udevadm trigger -s tpm || : -%posttrans -# see pretrans for an explanation of this -for data in system.data.auth system.data.noauth; do - file="%{tpmstatedir}/${data}" - # nothing to restore here - [ ! -e "${file}.rpmsave" ] && continue - # for some reason the to-be-restored file already exists? ignore. - [ -e "${file}" ] && continue - # restore the original file - echo "restoring backup of $file" - mv --no-target-directory ${file}.rpmsave ${file} - chown --no-dereference tss:tss "${file}" -done +# bsc#1164472: adjust potential root ownership to allow tcsd to open the file +# as unprivileged user. Be careful not to follow a symlink target. +system_data=%{tpmstatedir}/system.data + +if [ -e "${system_data}" ]; then + chown --no-dereference tss:tss %{tpmstatedir}/system.data +fi %postun %service_del_postun tcsd.service @@ -166,7 +173,7 @@ %files %defattr(-,root,root) -%config(noreplace) %attr(600,tss,tss) %{_sysconfdir}/tcsd.conf +%config(noreplace) %attr(640,root,tss) %{_sysconfdir}/tcsd.conf %doc README README.selinux AUTHORS ChangeLog LICENSE NICETOHAVES TODO doc/* %{_mandir}/man5/* %{_mandir}/man8/* @@ -175,6 +182,7 @@ %{_sbindir}/tcsd %{_sbindir}/rctcsd %{_unitdir}/tcsd.service +%{_udevrulesdir}/91-trousers.rules %files devel %defattr(-,root,root) ++++++ 91-trousers.rules ++++++ KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss" ++++++ bsc1164472.patch ++++++ Index: trousers-0.3.14/src/tcs/ps/tcsps.c =================================================================== --- trousers-0.3.14.orig/src/tcs/ps/tcsps.c +++ trousers-0.3.14/src/tcs/ps/tcsps.c @@ -72,7 +72,7 @@ get_file() } /* open and lock the file */ - system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); + system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); if (system_ps_fd < 0) { LogError("system PS: open() of %s failed: %s", tcsd_options.system_ps_file, strerror(errno)); Index: trousers-0.3.14/src/tcsd/svrside.c =================================================================== --- trousers-0.3.14.orig/src/tcsd/svrside.c +++ trousers-0.3.14/src/tcsd/svrside.c @@ -473,6 +473,7 @@ main(int argc, char **argv) } return TCSERR(TSS_E_INTERNAL_ERROR); } + setgid(pwd->pw_gid); setuid(pwd->pw_uid); #endif #endif Index: trousers-0.3.14/src/tcsd/tcsd_conf.c =================================================================== --- trousers-0.3.14.orig/src/tcsd/tcsd_conf.c +++ trousers-0.3.14/src/tcsd/tcsd_conf.c @@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) #ifndef SOLARIS struct group *grp; struct passwd *pw; - mode_t mode = (S_IRUSR|S_IWUSR); + mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); #endif /* SOLARIS */ TSS_RESULT result; @@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) } /* make sure user/group TSS owns the conf file */ - if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { + if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, - TSS_USER_NAME, TSS_GROUP_NAME); + "root", TSS_GROUP_NAME); return TCSERR(TSS_E_INTERNAL_ERROR); } - /* make sure only the tss user can manipulate the config file */ + /* make sure only the tss user can read (but not manipulate) the config file */ if (((stat_buf.st_mode & 0777) ^ mode) != 0) { - LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); + LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); return TCSERR(TSS_E_INTERNAL_ERROR); } #endif /* SOLARIS */ ++++++ tcsd.service ++++++ --- /var/tmp/diff_new_pack.ausZQU/_old 2020-05-29 15:16:33.315151250 +0200 +++ /var/tmp/diff_new_pack.ausZQU/_new 2020-05-29 15:16:33.315151250 +0200 @@ -4,6 +4,7 @@ [Service] Type=forking ExecStart=/usr/sbin/tcsd +User=tss [Install] WantedBy=multi-user.target