oss-sec mailing list archives
Re: systemd fails to parse user that should run service
From: Daniel Micay <danielmicay () gmail com>
Date: Wed, 05 Jul 2017 11:06:14 -0400
On Wed, 2017-07-05 at 15:50 +0100, John Haxby wrote:
On 05/07/17 14:53, Simon McVittie wrote:On Wed, 05 Jul 2017 at 14:02:23 +0200, Casper.Dik () oracle com wrote:2) If user name specified in systemd unit file is syntactically correct (according to systemd check) but user name does not exist then systemd refuse to start that unit.Should systemd really valid usernames? I would think that you would either use getpwnam(username) and if that fails you may then parse it as a numeric value. If "0day" isn't a valid username according to getpwnam(), when converting it to a numeric uid should *also* fail because "0day" isn't a properly numeric value.It *does* fail. The problem is in the handling of that failure. systemd interprets that failure as "this line is nonsense, so behave as though the line didn't exist" rather than "this line can be positively identified as an attempt to name a nonexistent or unacceptable user, so fail to load the unit". So User=7up does the same thing as User=0day - it doesn't run as uid 7, which is 'lp' on my Debian system.And therein lies the problem. "0day" and "7up" are valid user names according to Posix[1], they may or may not exist, but they are valid. You may think Posix is wrong to allow an initial digit, but that isn't the issue. The problem is that systemd treats an "invalid" username as either an integer or not specified and in either case this results in a program running as the wrong user, probably as root. Having systemd balk at what Posix considers to be a valid username is a bug that systemd is free to say "this is stupid, we're not allowing that". If, as appears to be the case, systemd says "that username is stupid, we're going to interpret it differently" then that's when we need a CVE because, to my mind on this hot and sunny say, that's systemd apparently doing something for security that it is not. jch [1] http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.htm l#tag_03_431
https://github.com/shadow-maint/shadow/blob/master/libmisc/chkname.c#L49 POSIX also says "." is a portable character, which isn't allowed by shadow either. What are distributions using to provide useradd if not shadow? systemd's On Error Resume Next error handling seems like the main issue. If a unit has invalid values, it should reject it. It shouldn't ever be ignoring a User field because it considers it invalid. It's unfortunate that it enables invalid field names like Usre=validusername too, but it probably does that so they can introduce new fields that can be adopted by projects for their units without breaking compatibility with older versions of systemd. I don't think it makes much sense for programs that are only consuming the password database to enforce their own checks, but they're free to do silly things like that if they feel like it and it doesn't make it a vulnerability. If it rejected the unit as a whole when it considers the username invalid, it would only be an annoyance for people that actually want to have a shadow / systemd incompatible username, not a potential security gotcha.
Current thread:
- systemd fails to parse user that should run service Daniel Skowroński (Jul 02)
- Re: systemd fails to parse user that should run service Pali Rohár (Jul 05)
- Re: systemd fails to parse user that should run service Marcus Meissner (Jul 05)
- Re: systemd fails to parse user that should run service Casper . Dik (Jul 05)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 05)
- Re: systemd fails to parse user that should run service John Haxby (Jul 05)
- Re: systemd fails to parse user that should run service Daniel Micay (Jul 05)
- Re: systemd fails to parse user that should run service John Haxby (Jul 05)
- Re: systemd fails to parse user that should run service Daniel Micay (Jul 05)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 05)
- Re: systemd fails to parse user that should run service Kristian Fiskerstrand (Jul 05)
- Re: systemd fails to parse user that should run service Pali Rohár (Jul 05)
- Re: systemd fails to parse user that should run service Pali Rohár (Jul 05)
- Re: systemd fails to parse user that should run service Alan Coopersmith (Jul 05)
- Re: systemd fails to parse user that should run service Perry E. Metzger (Jul 05)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 05)
- Re: systemd fails to parse user that should run service Kristian Fiskerstrand (Jul 05)