Ubuntu
upstart package

user session support allows non-priv users to gain root privileges

Bug #766206 reported by James Hunt
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
upstart (Ubuntu)
Fix Released
Critical
James Hunt
Ubuntu ubuntu-11.04
Natty
Fix Released
Critical
James Hunt
Ubuntu ubuntu-11.04

Bug Description

Binary package hint: upstart

Upstart 0.9.4-1ubuntu1 contains user session code. For natty, user sessions are disabled. However, should a user/admin re-enable user session support (by pulling the Upstart.conf dbus config file from upstream Upstart), starting a user job would allow root escalation since all user session jobs run as root.

The following branch includes a fix for this issue:

  lp:~jamesodhunt/ubuntu/natty/upstart/fix-chroot-sessions

Tags: server-nro

Related branches

lp:~jamesodhunt/ubuntu/natty/upstart/fix-chroot-sessions
Clint Byrum (community): Approve
Diff: 4753 lines (+842/-700)
38 files modified
ChangeLog (+62/-0)
NEWS (+21/-0)
configure.ac (+1/-1)
debian/changelog (+28/-0)
debian/upstart-job (+14/-4)
init/Makefile.am (+4/-2)
init/conf.c (+18/-12)
init/conf.h (+1/-1)
init/control.c (+5/-1)
init/job.c (+8/-2)
init/job_class.c (+34/-14)
init/job_process.c (+59/-0)
init/job_process.h (+3/-1)
init/main.c (+8/-0)
init/man/init.5 (+0/-38)
init/man/init.8 (+11/-7)
init/parse_job.c (+2/-2)
init/session.c (+21/-8)
init/session.h (+27/-2)
init/tests/test_blocked.c (+4/-6)
init/tests/test_conf.c (+15/-22)
init/tests/test_control.c (+11/-12)
init/tests/test_environ.c (+3/-0)
init/tests/test_event.c (+28/-40)
init/tests/test_event_operator.c (+3/-0)
init/tests/test_job.c (+70/-148)
init/tests/test_job_class.c (+54/-145)
init/tests/test_job_process.c (+34/-59)
init/tests/test_parse_conf.c (+3/-0)
init/tests/test_parse_job.c (+3/-0)
init/tests/test_process.c (+3/-0)
init/tests/test_system.c (+3/-0)
po/upstart.pot (+152/-136)
scripts/init-checkconf.sh (+34/-10)
scripts/man/init-checkconf.8 (+22/-10)
util/initctl.c (+16/-5)
util/man/initctl.8 (+3/-1)
util/tests/test_initctl.c (+54/-11)
lp:~clint-fewbar/ubuntu/natty/upstart/fix-chroot-sessions
Clint Byrum (clint-fewbar)
Changed in upstart (Ubuntu Natty):
importance: Undecided → Critical
assignee: nobody → James Hunt (jamesodhunt)
status: New → Fix Committed
milestone: none → ubuntu-11.04
Dave Walker (davewalker)
tags: added: server-nro
Revision history for this message
Martin Pitt (pitti) wrote :

I noted that the new version does this:

+ if (uid && setuid (uid) < 0) {
+ nih_error_raise_system ();
+ job_process_error_abort (fds[1], JOB_PROCESS_ERROR_SETUID, 0);
+ }
+
+ if (pw->pw_gid && setgid (pw->pw_gid) < 0) {
+ nih_error_raise_system ();
+ job_process_error_abort (fds[1], JOB_PROCESS_ERROR_SETGID, 0);
+ }

Does that actually work that way around? After setuid() you usually lose the privilege of changing between arbitrary groups (CAP_SETGID). I suppose it actually works if you switch to the user's primary group, but I've seen it to fail in the past in daemons changing to a system user. The usual approach is to change the group first, then the user. But the result here would be an abort of the job, which is safe, so I don't object to the change with my release hat on because of this.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package upstart - 0.9.6-1ubuntu1

---------------
upstart (0.9.6-1ubuntu1) natty; urgency=low

  [ James Hunt ]
  * init/man/init.5: Remove mention of user jobs since facility is
  disabled.

  [ Clint Byrum ]
  * Noting bugs fixed by 0.9.6 release of upstart: (LP: #728531 , LP: #766206)
 -- Clint Byrum <email address hidden> Tue, 19 Apr 2011 13:16:46 -0700

Changed in upstart (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.