[Bug 1803958] Re: [UBUNTU] zkey: Fails to run commands generated by 'zkey cryptsetup'

Dimitri John Ledkov launchpad at surgut.co.uk
Tue Nov 20 12:20:28 UTC 2018 

sudo is enabled by default for the first installed user.

In sudoers we do specify secure_path as
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

We do not include the current working directory in PATH.

Thus the recommendation is to fork&exec, rather than use system(). I.e.
using execlp(), execvp(), execvp() as appropriate.

I do not see setting PATH or using hard-coded names to binaries as a
protective measure. If one has root, one can bind mount their own binary
on top of /usr/bin/cryptsetup if one really wants zkey to execute their
own cryptsetup.

I am actually not sure why the choice is to exec cryptsetup, instead of
using libcryptsetup.so.12 like cryptsetup itself does. It is not an
additional runtime dependency, because /lib/systemd/systemd-cryptsetup
is typically there and also uses libcryptsetup.so.12 directly.

Having a command as a long string, rather than list of args or an array,
looks like there might be shell escape vulnerabilities. I wonder if I
can trick the program to have key_file_name as passed to system() to be
"filename; rm -rf ~/*" for example.

ps. I see system() is used elsewhere in the codebase too.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1803958

Title:
  [UBUNTU] zkey: Fails to run commands generated by 'zkey cryptsetup'

Status in Ubuntu on IBM z Systems:
  Triaged
Status in s390-tools package in Ubuntu:
  New

Bug description:
  Description:  zkey: Fails to run commands generated by 'zkey
  cryptsetup'

  Symptom:      Fails to run commands generated by 'zkey cryptsetup'.

  Problem:  When using 'zkey cryptsetup' with --run option the execution
  of the generated commands may fail, when  the executable to be run is
  located in '/sbin'.

  Solution:     Include /sbin into PATH when executing commands.

  Reproduction: Use 'zkey cryptsetup' with option --run on a distribution
                where 'cryptsetup' is located in '/sbin'.

  Upstream commit:
  https://github.com/ibm-s390-tools/s390-tools/commit/9100327092c470c2e5b5819087c8094822a1c751

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1803958/+subscriptions

More information about the foundations-bugs mailing list