← Back to team overview

touch-packages team mailing list archive

[Bug 1425685] Re: Missing input sanitation in upstart logrotation cronjob

 

I'm not sure whether this is the right place to write this, but those permission checks look really racy - both the file type test and the file owner UID check.
(Besides, I think that an attacker should be able to hardlink a file created by another user into his directory, which would also lead to a bypass of the UID equality check, but I'm not familiar enough with ubuntu to be able to say whether that attack is actually feasible.)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/1425685

Title:
  Missing input sanitation in upstart logrotation cronjob

Status in upstart package in Ubuntu:
  Fix Released

Bug description:
  Ubuntu Vivid 1504 (development branch) installs an insecure upstart
  logrotation script which will read user-supplied data from
  /run/user/[uid]/upstart/sessions and pass then unsanitized to an env
  command. As user run directory is user-writable, the user may inject
  arbitrary commands into the logrotation script, which will be executed
  during daily cron job execution around midnight with root privileges.

  Problematic part of /etc/cron.daily/upstart:

  for session in /run/user/*/upstart/sessions/*
  do
      env $(cat $session) /sbin/initctl emit rotate-logs >/dev/null 2>&1 || true
  done

  On a system with e.g. libpam-systemd installed, standard login on TTY
  or via SSH will create the directory /run/user/[uid] writable to the
  user. By preparing a suitable session file, user supplied code will be
  run during the daily cron-jobs.

  See [1] for more information.

  # lsb_release -rd
  Description:    Ubuntu Vivid Vervet (development branch)
  Release:        15.04

  # apt-cache policy upstart-bin
  upstart-bin:
    Installed: 1.13.2-0ubuntu7
    Candidate: 1.13.2-0ubuntu7
    Version table:
   *** 1.13.2-0ubuntu7 0
          500 http://archive.ubuntu.com/ubuntu/ vivid/main i386 Packages
          100 /var/lib/dpkg/status

  
  [1] http://www.halfdog.net/Security/2015/UpstartLogrotationPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1425685/+subscriptions