Setuid programs are setgid-root: possible local privilege escalation

Ludovic Courtès wrote on 9 Feb 10:01 +0100

Recipients:(address . bug-guix@gnu.org)

Message-ID:87pn19ty12.fsf@gnu.org

Duncan Overbruck reported on guix-security on Jan. 30th that onGuix System, programs listed in ‘setuid-programs’ all end up beingsetuid-root *and* setgid-root (this issue is only relevant to GuixSystem users; users of Guix on “foreign” distros are unaffected).
The latter could potentially lead to local privilege escalation becausethese programs are usually designed to be setuid-root, but notsetgid-root. As Duncan wrote:

Toggle quote (16 lines)> The issue is that if those programs like ping are not aware of being> installed with setgid and then fail to drop full privileges.>> In case someone finds a vulnerability in ping, that happens somewhere after> the privileges should have been dropped then you have a privilege escalation> issue and not just a buffer overflow in code running as the user.>> Another case would be as example dbus-launch-helper usually owned by> root:dbus and is not executable by others, but in guix is root:root> and readable/executable by others, this could potentially open more> attack surface.>> With forcing every single setuid binary to be just root:root 06555 you> deviate from the developers intended permission and there could be something> that is going to be exploitable just because guix deviates from that.

We do not know of any exploitation of this issue. For completeness,here is the list of setuid programs one may get on Guix System by usingthe settings and services currently provided (‘service-types/setuid’comes from the attached file):

Toggle snippet (23 lines)scheme@(guile-user)> ,use(gnu system)scheme@(guile-user)> ,pp %setuid-programs$32 = (#<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/passwd"> #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/sg"> #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/su"> #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/newgrp"> #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/newuidmap"> #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/newgidmap"> #<file-append #<package inetutils@1.9.4 gnu/packages/admin.scm:613 7fb1abb9aa00> "/bin/ping"> #<file-append #<package inetutils@1.9.4 gnu/packages/admin.scm:613 7fb1abb9aa00> "/bin/ping6"> #<file-append #<package sudo@1.9.5p2 gnu/packages/admin.scm:1422 7fb1abb9a0a0> "/bin/sudo"> #<file-append #<package sudo@1.9.5p2 gnu/packages/admin.scm:1422 7fb1abb9a0a0> "/bin/sudoedit"> #<file-append #<package fuse@2.9.9 gnu/packages/linux.scm:2846 7fb1adb353c0> "/bin/fusermount"> #<file-append #<package util-linux@2.35.1 gnu/packages/linux.scm:1507 7fb1adb2a8c0> "/bin/mount"> #<file-append #<package util-linux@2.35.1 gnu/packages/linux.scm:1507 7fb1adb2a8c0> "/bin/umount">)scheme@(guile-user)> ,pp (service-types/setuid)$33 = (#<service-type screen-locker 7fb1ab2b6200> #<service-type singularity 7fb1a9c01640> #<service-type enlightenment-desktop 7fb1ab7fa5c0> #<service-type polkit 7fb1bce11e00> #<service-type dbus 7fb1bce11f00>)

The immediate fix is to not make those programs setgid-root (patchattached).
(Incidentally, Chris Webber proposed to make it explicit, which we’ll doeventually: https://issues.guix.gnu.org/44700.)
Many thanks to Duncan Overbruck for reporting the issue!
Ludo’.

Toggle diff (13 lines)diff --git a/gnu/build/activation.scm b/gnu/build/activation.scmindex 4b67926e88..83586ce16c 100644--- a/gnu/build/activation.scm+++ b/gnu/build/activation.scm@@ -234,7 +234,7 @@ they already exist."                                  "/" (basename prog))))       (copy-file prog target)       (chown target 0 0)-      (chmod target #o6555)))+      (chmod target #o4555)))    (format #t "setting up setuid programs in '~a'...~%"           %setuid-directory)

(use-modules (gnu services) (srfi srfi-1) (srfi srfi-26)) (define (provides-setuid-programs? type) (find (lambda (extension) (eq? (service-extension-target extension) setuid-program-service-type)) (service-type-extensions type))) (define (service-types/setuid) (fold-service-types (lambda (type result) (if (provides-setuid-programs? type) (cons type result) result)) '()))

Ludovic Courtès wrote on 9 Feb 10:10 +0100

control message for bug #46395

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87mtwdtxly.fsf@gnu.org

tags 46395 + securityquit

Ludovic Courtès wrote on 9 Feb 10:10 +0100

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87o8gttxm3.fsf@gnu.org

severity 46395 importantquit

Ludovic Courtès wrote on 9 Feb 10:13 +0100

Re: bug#46395: Setuid programs are setgid-root: possible local privilege escalation

Recipients:(address . 46395@debbugs.gnu.org)

Message-ID:87ft25txh0.fsf@gnu.org

This is fixed by this commit:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aa8de806252e3835d57fab351b02d13db762deac
Guix System users are encouraged to upgrade by running something alongthe lines of:
guix pull sudo guix system reconfigure /run/current-system/configuration.scm
You can send comments and feedback to 46395@debbugs.gnu.org.
Ludovic.

Ludovic Courtès wrote on 9 Feb 10:28 +0100

control message for bug #46395

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87eehptwt8.fsf@gnu.org

tags 46395 fixedclose 46395 quit

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date