[Bug 1787548] Re: PAM fscrypt adds root(0) group to all users called by su
Tyler Hicks
tyhicks at canonical.com
Thu Aug 23 18:42:10 UTC 2018
I've uploaded an fscrypt security update to the Ubuntu Security PPA.
Ubuntu Security will release it once they've reviewed and approved the
changes.
** Information type changed from Private Security to Public Security
** Changed in: shadow (Ubuntu)
Status: New => Invalid
** Changed in: shadow
Status: New => Invalid
** Changed in: fscrypt (Ubuntu)
Status: New => Confirmed
** Changed in: fscrypt (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1787548
Title:
PAM fscrypt adds root(0) group to all users called by su
Status in Shadow:
Invalid
Status in fscrypt package in Ubuntu:
Confirmed
Status in shadow package in Ubuntu:
Invalid
Bug description:
related packages: /bin/su (from login , shadow)
OS: ubuntu 18.04.1, updated
Bug: a normal user (not in 'root' group), when the PAM module fscrypt
is active, all calls of su give the user additional group root(0).
Results: this is a permission escalation, such user can now delete
files owned by root group (where permisions are g+w)
Steps to reproduce:
0/ login uses pam unix authentication module (default on ubuntu, no action needed)
0.1/ create a new user:
# useradd developer
1/ verify:
#id developer
// on my system, shows
// uid=1004(developer) gid=1004(developer) groups=1004(developer)
\su - developer -c id
sudo -u developer id
2/ enable pam-fscrypt
# apt install libpam-fscrypt
# pam-auth-update --enable fscrypt
3/ verify again (bug shows)
// repeate step 1/
// the su command will show the bug (sudo won't, interestingly)
\su - developer -c id
// uid=1004(developer) gid=1004(developer) groups=1004(developer),0(root)
4/ workaround and return to original state:
pam-auth-update --disable fscrypt
apt remove libpam-fscrypt
Thank you,
To manage notifications about this bug go to:
https://bugs.launchpad.net/shadow/+bug/1787548/+subscriptions
More information about the foundations-bugs
mailing list