GNU bug report logs - #46395
Setuid programs are setgid-root: possible local privilege escalation

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Tue, 9 Feb 2021 09:02:01 UTC

Severity: important

Tags: fixed, security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46395 in the body.
You can then email your comments to 46395 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#46395; Package guix. (Tue, 09 Feb 2021 09:02:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 09 Feb 2021 09:02:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: <bug-guix <at> gnu.org>
Subject: Setuid programs are setgid-root: possible local privilege escalation
Date: Tue, 09 Feb 2021 10:01:45 +0100

[Message part 1 (text/plain, inline)]
Duncan Overbruck reported on guix-security on Jan. 30th that on
Guix System, programs listed in ‘setuid-programs’ all end up being
setuid-root *and* setgid-root (this issue is only relevant to Guix
System users; users of Guix on “foreign” distros are unaffected).

The latter could potentially lead to local privilege escalation because
these programs are usually designed to be setuid-root, but not
setgid-root.  As Duncan wrote:

> The issue is that if those programs like ping are not aware of being
> installed with setgid and then fail to drop full privileges.
>
> In case someone finds a vulnerability in ping, that happens somewhere after
> the privileges should have been dropped then you have a privilege escalation
> issue and not just a buffer overflow in code running as the user.
>
> Another case would be as example dbus-launch-helper usually owned by
> root:dbus and is not executable by others, but in guix is root:root
> and readable/executable by others, this could potentially open more
> attack surface.
>
> With forcing every single setuid binary to be just root:root 06555 you
> deviate from the developers intended permission and there could be something
> that is going to be exploitable just because guix deviates from that.

We do not know of any exploitation of this issue.  For completeness,
here is the list of setuid programs one may get on Guix System by using
the settings and services currently provided (‘service-types/setuid’
comes from the attached file):

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(gnu system)
scheme@(guile-user)> ,pp %setuid-programs
$32 = (#<file-append #<package shadow <at> 4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/passwd">
 #<file-append #<package shadow <at> 4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/sg">
 #<file-append #<package shadow <at> 4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/su">
 #<file-append #<package shadow <at> 4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/newgrp">
 #<file-append #<package shadow <at> 4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/newuidmap">
 #<file-append #<package shadow <at> 4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/newgidmap">
 #<file-append #<package inetutils <at> 1.9.4 gnu/packages/admin.scm:613 7fb1abb9aa00> "/bin/ping">
 #<file-append #<package inetutils <at> 1.9.4 gnu/packages/admin.scm:613 7fb1abb9aa00> "/bin/ping6">
 #<file-append #<package sudo <at> 1.9.5p2 gnu/packages/admin.scm:1422 7fb1abb9a0a0> "/bin/sudo">
 #<file-append #<package sudo <at> 1.9.5p2 gnu/packages/admin.scm:1422 7fb1abb9a0a0> "/bin/sudoedit">
 #<file-append #<package fuse <at> 2.9.9 gnu/packages/linux.scm:2846 7fb1adb353c0> "/bin/fusermount">
 #<file-append #<package util-linux <at> 2.35.1 gnu/packages/linux.scm:1507 7fb1adb2a8c0> "/bin/mount">
 #<file-append #<package util-linux <at> 2.35.1 gnu/packages/linux.scm:1507 7fb1adb2a8c0> "/bin/umount">)
scheme@(guile-user)> ,pp (service-types/setuid)
$33 = (#<service-type screen-locker 7fb1ab2b6200>
 #<service-type singularity 7fb1a9c01640>
 #<service-type enlightenment-desktop 7fb1ab7fa5c0>
 #<service-type polkit 7fb1bce11e00>
 #<service-type dbus 7fb1bce11f00>)
--8<---------------cut here---------------end--------------->8---

The immediate fix is to not make those programs setgid-root (patch
attached).

(Incidentally, Chris Webber proposed to make it explicit, which we’ll do
eventually: <https://issues.guix.gnu.org/44700>.)

Many thanks to Duncan Overbruck for reporting the issue!

Ludo’.


[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 4b67926e88..83586ce16c 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -234,7 +234,7 @@ they already exist."
                                  "/" (basename prog))))
       (copy-file prog target)
       (chown target 0 0)
-      (chmod target #o6555)))
+      (chmod target #o4555)))
 
   (format #t "setting up setuid programs in '~a'...~%"
           %setuid-directory)

[setuid-programs.scm (text/plain, inline)]
(use-modules (gnu services)
             (srfi srfi-1)
             (srfi srfi-26))

(define (provides-setuid-programs? type)
  (find (lambda (extension)
          (eq? (service-extension-target extension)
               setuid-program-service-type))
        (service-type-extensions type)))

(define (service-types/setuid)
  (fold-service-types (lambda (type result)
                        (if (provides-setuid-programs? type)
                            (cons type result)
                            result))
                      '()))

[signature.asc (application/pgp-signature, inline)]
Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Tue, 09 Feb 2021 09:11:02 GMT) Full text and rfc822 format available.
Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Tue, 09 Feb 2021 09:11:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#46395; Package guix. (Tue, 09 Feb 2021 09:14:02 GMT) Full text and rfc822 format available.

Message #12 received at 46395 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 46395 <at> debbugs.gnu.org
Subject: Re: bug#46395: Setuid programs are setgid-root: possible local
 privilege escalation
Date: Tue, 09 Feb 2021 10:13:47 +0100

This is fixed by this commit:

  https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aa8de806252e3835d57fab351b02d13db762deac

Guix System users are encouraged to upgrade by running something along
the lines of:

  guix pull
  sudo guix system reconfigure /run/current-system/configuration.scm

You can send comments and feedback to 46395 <at> debbugs.gnu.org.

Ludovic.
Added tag(s) fixed. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Tue, 09 Feb 2021 09:29:01 GMT) Full text and rfc822 format available.
bug closed, send any further explanations to 46395 <at> debbugs.gnu.org and Ludovic Courtès <ludo <at> gnu.org> Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Tue, 09 Feb 2021 09:29:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 09 Mar 2021 12:24:09 GMT) Full text and rfc822 format available.
This bug report was last modified 3 years and 65 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.