TJ is right, I also confirmed this issue on a freshly installed 18.04.1
x86_64 Desktop VM last night. After enabling 'proposed' and installing
all pending updates, 'groups' in a terminal returned just the users
primary group. I then restored a snapshot taken right after the 18.04
installation (but with 'proposed' already enabled), and installed all
pending updates again, this time one by one, but could not reproduce it
then. I don't have any indication that the outcome would have been any
different without 'proposed'.

So it remains unclear to me how to reproduce this reliably. It is clear
that it is possible to reproduce this (occasionally) on a fresh 18.04.1
installation. And also on 16.04.5. So I do think it will affect many.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1784964

Title:
  Regression due to CVE-2018-1116 (processes not inheriting user ID or
  groups )

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  This report is tracking a possible regression caused by the recent
  CVE-2018-1116 patches to policykit-1.

  On 18.04, since package upgrades on July 23rd, and after the first
  reboot since then on Aug 1st, I hit an issue with the primary (sudo,
  adm, etc...) user getting Permission Denied trying to do:

  tail -f /var/log/syslog

  when that file is owned by syslog:adm and is g=r.

  I then found that "groups" reports only the $USER and not the entire
  list, but "groups $USER" reports all the groups correctly.

  The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g
  default-shell /bin/bash"

  After changing the user's shell back to /bin/bash and logging in on
  tty1 the list of groups shows correctly for the /bin/bash process
  running on tty1.

  I investigated and found that for the affected processes, such as the
  tmux process, /proc/$PID/loginuid = 4294967295  whereas the /bin/bash
  process on tty1 correctly reported 1000. The same with the respective
  gid_map and uid_map.

  4294967295 == -1 == 0xFFFFFFFF

  The recent CVE patch to policykit has several functions where it does
  "uid = -1" which seems to tie in to my findings so far.

  I also noticed Ubuntu is still based on version 0.105 which was
  released in 2012 - upstream released 0.115 with the CVE patch.

  I suspect the backporting has missed something.

  The Ubuntu backport patch is:

  https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu
  /bionic-devel&id=840c50182f5ab1ba28c1d20cce4c207364852935

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to