oss-sec mailing list archives
Re: Re: Bug#738855: initscripts: Skip killing root-owned process starting with @
From: Helmut Grohne <helmut () subdivi de>
Date: Fri, 14 Feb 2014 23:07:59 +0100
Sorry for being unclar here. On Fri, Feb 14, 2014 at 11:50:29AM -0500, cve-assign () mitre org wrote:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738855 Message #34This message starts by discussing initscripts, but ends by discussing a CVE assignment for systemd. That CVE assignment would potentially be reasonable, but we wanted to first clarify what is being asked. We think you mean: - adding a patch to initscripts to introduce more compatibility between initscripts and systemd may be considered a security enhancement, and probably would not be considered a vulnerability fix, so no CVE ID is being requested for a problem in the unpatched initscripts code
Almost. The patch proposed for initscripts does not enhance its security, but it makes it easier to write daemons against both systemd and sysv init (initscripts). The anticipated problem is not present in initscripts, but it could be introduced via the compatibility patch. Whether there actually is a vulnerability in the patch or not, nothing has been shipped to actual systems and that is why no CVE is being requested here.
- this systemd commit http://cgit.freedesktop.org/systemd/systemd/commit/src/core/killall.c?id=bd3fa1d2434aa28564251ac4da34d01537de8c4b introduced the killall.c file. In the first version of this file, the /* Non-root processes otherwise are always subject to be killed */ if (uid != 0) return false; ... /* Processes with argv[0][0] = '@' we ignore from the killing * spree. * * http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons */ if (count == 1 && c == '@') return true; return false; code was included. - you are proposing that the above "return true" line is a vulnerability because it may allow a not-fully-privileged root user to cause data loss. This could possibly have one CVE ID. One of the arguments against assigning a CVE ID is that this "return true" could have been an intentional tradeoff between perfect privilege checking and design complexity. For environments with not-fully-privileged root users, we're not sure whether there's general acceptable of a guideline that OS components must never contain any program logic to make any security-relevant decision on the basis of the uid value.
You have well captured the intended message. Fundamentally the issue boils to the question of whether there is such a thing as an "unprivileged process with effective UID 0". If there isn't, then there is no vulnerability in systemd (and the proposed patch to initscripts is fine as well). Specifically, I am seeking input on whether there are practical situations in which a process with effective UID 0 can be considered less privileged than say accessing arbitrary block devices for writing (which would have similar implications wrt. data loss). The anticipated scope is LSMs and Linux capabilities in action. At least theoretically, a process could be jailed in a chroot with most of its capabilities (especially CAP_MKNOD and CAP_CHROOT) revoked. Such a process could be considered unprivileged. The state of the art to craft such a jail would more likely involve Linux user namespaces though and thus avoid effective UID 0 alltogether.
- versions of systemd before bd3fa1d2434aa28564251ac4da34d01537de8c4b, in which killall.c did not exist, may have had other problems because the right processes were not killed at the right times. This could possibly have a second CVE ID if there were security implications.
I am making no claims about systemd's behaviour before this commit. In any case those early versions tend not to be around in actual systems, so I doubt that tracking vulnerabilities there would be useful at present. Helmut
Current thread:
- Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ Helmut Grohne (Feb 14)
- Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ cve-assign (Feb 14)
- Re: Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ Helmut Grohne (Feb 14)
- Re: Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ Florian Weimer (Feb 15)
- Re: Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ Helmut Grohne (Feb 16)
- Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ Petter Reinholdtsen (Feb 15)
- Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ Solar Designer (Feb 15)
- Re: Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ Helmut Grohne (Feb 16)
- Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ Solar Designer (Feb 15)
- Re: Bug#738855: initscripts: Skip killing root-owned process starting with @ cve-assign (Feb 14)