Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Mar 2017 14:09:49 -0500
From: Mark Felder <>
Subject: CVE Request -- mapr: information disclosure vulnerability


The mapr web frontend component creates an information disclosure
vulnerability.  During the setup of mapr the script calls a
function ConfigureWSRole:

function ConfigureWSRole() {
  if [ $clientOnly -eq 0 -a $dontChangeSecurityPermissionsOn -eq 0 ];

This calls ConfigureRunUserForWS from

function ConfigureRunUserForWS() {
  local val=`getent group shadow 2>/dev/null`
  if [ "$?" != "0" -o "$val" = "" ]; then
    # Create a group named shadow
    groupadd shadow  >> $logFile 2>&1
  # Add CURR_USER to the group wheel
  if [ -f /etc/SuSE-release ]; then
      # Add CURR_USER to the group wheel for SUSE
      usermod -A shadow $MAPR_USER >> $logFile 2>&1
      # The '-A' option has been removed from SuSE 12 
      if [ $STATUS -ne 0 ]; then
          usermod -a -G shadow $MAPR_USER  >> $logFile 2>&1
      usermod -a -G $MAPR_GROUP,shadow $MAPR_USER  >> $logFile 2>&1
  # Change group-owner of /etc/shadow
  chgrp shadow /etc/shadow  >> $logFile 2>&1
  # Allow read permissions for user shadow
  chmod ug+r /etc/shadow >> $logFile 2>&1

This results in a shadow file that is now readable to the application:

# ls -la /etc/shadow
-r--r-----. 1 root shadow 657 Mar 30 16:09 /etc/shadow
# grep shadow /etc/group

The option to disable this codepath, -no-auto-permission-update,  is not
recommended by Mapr and comes with a warning in the script as it will
break the webserver's ability to authenticate the local mapr user, which
is used to administer the cluster:

        echo "    -no-auto-permission-update - do not update the system
        security permissions automatically"
        echo "                             Warn: Features like WebServer
        might not work properly"
        echo "                             default: disabled"

The website docs[1] casually describe the option, "Pass this option to
prevent MapR from silently altering permissions in /etc/shadow."

These files are part of the mapr-core-internal package:

# rpm -fq /opt/mapr/server/
# rpm -fq /opt/mapr/server/



  Mark Felder

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.