Date: Tue, 19 Jul 2016 11:39:15 +0200 From: Sebastian Krahmer <krahmer@...e.com> To: oss-security@...ts.openwall.com Cc: ebiederm@...ssion.com Subject: subuid security patches for shadow package Hi The shadow package contains newuidmap and newgidmap suid binaries in order to allow users to take advantage of the userns feature of uid-mappings. I added patches here: https://bugzilla.suse.com/show_bug.cgi?id=979282 they consist of: 1) Removing getlogin() to find out about users. It relies on utmp, which is not a trusted base of info (group writable). 2) Cleaning up UID retrieval and computation. The 'long long' code was totally unclear to me, as the numbers are converted to ulong right afterwards anyway. Additionally there was a *int overflow*, which can be tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed) which produces no error but tries to write large "count" values to the uid_map file. Kernel may check for overflows itself, but it should not be allowed by a suid binary to be written in the first place. Theoretically theres also a TOCTOU issue in newuidmap, since the st_uid fields of the stat on /proc/pid may change over time (suid being executed), but to my analsysis such twists have no gain for the attacker. Patch should be tested by upstream, since I am not sure what the getlogin() code (shared uids??) was about at all. Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.com - SuSE Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ