1 |
Hi, |
2 |
|
3 |
I don't have any objections regarding the change of the default tmpfiles |
4 |
provider but I would like to classify the vulnerability: |
5 |
|
6 |
On 2020-11-25 22:57, Georgy Yakovlev wrote: |
7 |
> In case you don't know, opentmpfiles has an open CVE CVE-2017-18925: |
8 |
> root privilege escalation by symlink attack |
9 |
> https://github.com/OpenRC/opentmpfiles/issues/4 It has been an issue |
10 |
> for quite a while, reported 3 years ago, and not much changed since. |
11 |
|
12 |
Don't get scared by 'root privilege escalation': *Any* problem in *any* |
13 |
tmpfiles provider will *always* allow for root privilege escalation |
14 |
because this service is run by root early at boot. |
15 |
|
16 |
In theory you could create a user for this service but you would need |
17 |
CAP_DAC_OVERRIDE privileges which would again allow for root privilege |
18 |
escalation. |
19 |
|
20 |
Regarding CVE-2017-18925 itself: First you have to understand that |
21 |
anyone can request a CVE and that it isn't CNA's job to verify your |
22 |
report. That's it, having a CVE doesn't mean that a problem was |
23 |
confirmed. A CVE is just an identifier which should allow anyone who |
24 |
want to talk about the same problem to do that. For example when we file |
25 |
bug 123 in bugs.gentoo.org and Fedora would have the same package and |
26 |
experience the same issue they would file bug 456 in their bug tracker |
27 |
-- the goal of a CVE is just to connect information regarding the same |
28 |
issue -- in this example, the CVE would get references to Gentoo's bug |
29 |
123 and Fedora's bug 456. |
30 |
|
31 |
The bug itself is about a race condition. This race condition is real. |
32 |
|
33 |
However, the impact is questionable: tmpfiles service will only process |
34 |
files from |
35 |
|
36 |
/etc/tmpfiles.d/*.conf |
37 |
/run/tmpfiles.d/*.conf |
38 |
/usr/lib/tmpfiles.d/*.conf |
39 |
|
40 |
Only root is allowed to write to these directories. In other words: To |
41 |
exploit this, a malicious local user (or a remote attacker who already |
42 |
gained user access) would have to trick root into creating specially |
43 |
crafted tmpfiles config allowing for race conditions first (according to |
44 |
the 10 immutable laws of security, if this is already possible, you are |
45 |
already lost). |
46 |
|
47 |
If root doesn't install any tmpfiles config which will create such a |
48 |
race condition and if package maintainer will take care that their |
49 |
packages won't do the same, you are fine. |
50 |
|
51 |
Rule of thumb: Just make sure that you only create top level |
52 |
directories. If something already exists, error out. Because whenever |
53 |
you try to work in a directory where any other user is able to write to |
54 |
at the same time, you are always vulnerable to such a race condition |
55 |
(that's why you should have a second level for actual user data and keep |
56 |
first level for ACL handling -- the service user must only be allowed to |
57 |
pass through this directory). |
58 |
|
59 |
|
60 |
PS: Just to avoid any misunderstandings: OpenTmpfiles should of course |
61 |
try to fix/avoid this problem if possible. Security is a layered process |
62 |
(like an onion) and having multiple safe-guards is always a good thing. |
63 |
|
64 |
|
65 |
-- |
66 |
Regards, |
67 |
Thomas Deutschmann / Gentoo Security Team |
68 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |