From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 05 15:55:42 2021 Received: (at 47584) by debbugs.gnu.org; 5 Apr 2021 19:55:42 +0000 Received: from localhost ([127.0.0.1]:38637 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTVK2-0003Zf-8F for submit@debbugs.gnu.org; Mon, 05 Apr 2021 15:55:42 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37598) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTVK0-0003ZQ-70 for 47584@debbugs.gnu.org; Mon, 05 Apr 2021 15:55:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36383) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTVJs-00038g-IC; Mon, 05 Apr 2021 15:55:34 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=46782 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lTVJJ-0002gb-Gt; Mon, 05 Apr 2021 15:55:05 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <87mtufw1kh.fsf@gnu.org> <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 Germinal an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 05 Apr 2021 21:54:56 +0200 In-Reply-To: <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> (Maxime Devos's message of "Sun, 04 Apr 2021 09:36:05 +0200") Message-ID: <87zgycqzfz.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: Leo Famulari , 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Maxime, Maxime Devos skribis: > On Sat, 2021-04-03 at 22:33 +0200, Ludovic Court=C3=A8s wrote: >> Maxime Devos skribis: >>=20 >> > The attack consists of the user being logged in after the account >> > skeletons have been copied to the home directory, but before the >> > owner of the account skeletons have been set. The user then deletes >> > a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces >> > it with a symbolic link to a file not owned by the user, such as >> > @file{/etc/shadow}. >> >=20 >> > The activation code then changes the ownership >> > of the file the symbolic link points to instead of the symbolic >> > link itself. At that point, the user has read-write access >> > to the target file. >>=20 >> In the draft blog post, you mention that the attack cannot be carried >> out when protected symlinks are enabled. > > In the blog post, I thought I wrote the attack can be carried out > *even if* protected symlinks are enabled. Looking at > > https://sysctl-explorer.net/fs/protected_symlinks/, > > I don't think the Linux protected symlink feature helps, as home > directories are never sticky and word-writable. Oh right, my bad, I overlooked this. > Perhaps I should have written =E2=80=98possible=E2=80=99 instead of =E2= =80=98not impossible=E2=80=99 > in the blog post. Dunno, maybe it=E2=80=99s just me not paying enough attention. > I agree with all other comments on this bug report. OK. It does mean that the bug is hardly exploitable in practice: you have to be able to log in at all, and if you=E2=80=99re able to log in, you= have to log in precisely within the 1s (or less) that follows account creation, which sounds challenging (TCP + SSH connection establishment is likely to take as much time or more, likewise for typing in your password.) It=E2=80=99s also one-time chance. Do I get it right? Does it warrant as strong messaging as for the recent daemon =E2=80=98--keep-failed=E2=80=99 vulnerability? Thanks, Ludo=E2=80=99.