touch-packages team mailing list archive

Thread
Date

[Bug 1425685] Re: Missing input sanitation in upstart logrotation cronjob

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1425685@xxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Mar 2015 00:49:08 -0000
Reply-to: Bug 1425685 <1425685@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Jann, thanks for the comment; I believe the checks aren't strictly
necessary; the grep command used to extract one specific variable with
the given legal values is the more important part of this patch.

That said, /run/user is a filesystem in its own right, so cross-mount
hardlinks aren't possible, and at least on my system, all the
directories are mode 700, so hardlinking to another user's file on the
filesystem will be difficult.

Have you thought of anything else in the meantime? Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/1425685

Title:
  Missing input sanitation in upstart logrotation cronjob

Status in upstart package in Ubuntu:
  Fix Released

Bug description:
  Ubuntu Vivid 1504 (development branch) installs an insecure upstart
  logrotation script which will read user-supplied data from
  /run/user/[uid]/upstart/sessions and pass then unsanitized to an env
  command. As user run directory is user-writable, the user may inject
  arbitrary commands into the logrotation script, which will be executed
  during daily cron job execution around midnight with root privileges.

  Problematic part of /etc/cron.daily/upstart:

  for session in /run/user/*/upstart/sessions/*
  do
      env $(cat $session) /sbin/initctl emit rotate-logs >/dev/null 2>&1 || true
  done

  On a system with e.g. libpam-systemd installed, standard login on TTY
  or via SSH will create the directory /run/user/[uid] writable to the
  user. By preparing a suitable session file, user supplied code will be
  run during the daily cron-jobs.

  See [1] for more information.

  # lsb_release -rd
  Description:    Ubuntu Vivid Vervet (development branch)
  Release:        15.04

  # apt-cache policy upstart-bin
  upstart-bin:
    Installed: 1.13.2-0ubuntu7
    Candidate: 1.13.2-0ubuntu7
    Version table:
   *** 1.13.2-0ubuntu7 0
          500 http://archive.ubuntu.com/ubuntu/ vivid/main i386 Packages
          100 /var/lib/dpkg/status

  
  [1] http://www.halfdog.net/Security/2015/UpstartLogrotationPrivilegeEscalation/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1425685/+subscriptions