Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Jul 2017 13:27:21 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: Daniel Skowroński <daniel@...nf.net>
Subject: Re: systemd fails to parse user that should run
 service

On Wed, Jul 05, 2017 at 10:50:34AM +0200, Pali Rohár wrote:
> On Sunday 02 July 2017 12:02 Daniel Skowroński wrote:
> > Hi all,
> > 
> > Just wanted to bring attention to issue with systemd not doing what is
> > expected when parsing User that should run service.
> > When it fails to parse string starting with digit it fails back to root
> > causing obvious threat to security.
> > 
> > See discussion with developer on github:
> > https://github.com/systemd/systemd/issues/6237
> > 
> > Best,
> > -Daniel Skowronski
> 
> Hi!
> 
> There are basically two problems:
> 
> 1) In more Linux distributions useradd tool allow to create a new user
> which starts with digit. Also according to POSIX such user name is a
> valid. This means that valid user name (for some Linux distributions)
> from /etc/passwd specified in systemd unit file results running service
> as root user.
> 
> 2) If user name specified in systemd unit file is syntactically correct
> (according to systemd check) but user name does not exist then systemd
> refuse to start that unit.
> 
> Which leads to problem that syntactically invalid user name (for
> systemd) results in root user and syntactically valid non-existent user
> name cause error.
> 
> Because check if user name is valid is different in systemd as specified
> in POSIX and also different as in useradd tool supplied by some Linux
> distributions, I see this as a security problem when processing invalid
> input from configuration unit file.
> 
> Correct behaviour should be to throw error also when garbage (invalid
> user name), according to internal systemd check, was specified. And not
> start service under root user with high privileges.
> 
> Because of this I would suggest to ask for CVE identifier, so Linux
> distributions can mitigate or decide how to handle this problem.
> 
> Linux distributions which follow POSIX standard when creating new users
> are affected by this.
> 
> Please note that above bug tracker on github is locked for future
> discussion, which means it is not possible to ask for more details or
> continue discussion in upstream.
> 
> Which is really *bad* for security related problems.
> 
> What do you think, how should be this problem handled?

One of SUSEs systemd developer is developing a patch, that fails the unit
when parsing the username fails.

https://bugzilla.suse.com/show_bug.cgi?id=1047023

Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ