The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #12458

Only euid changed, not egid

Added by Anonymous almost 3 years ago. Updated almost 3 years ago.

Status:ClosedStart date:02/06/2012
Priority:NormalDue date:
Assignee:Dominic Maraglia% Done:

0%

Category:-
Target version:2.7.11
Affected Puppet version: Branch:https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

2a. Only euid changed, not egid

The second problem occurs when only a target user is given to the SUIDManager asuser method as opposed to a target user and group, as is the case in the following places: lib/puppet/provider/ssh_authorized_key/parsed.rb:59 lib/puppet/type/file/target.rb:46

In this case, the SUIDManager asuser method at lib/puppet/util/suidmanager.rb:78 doesn’t change the egid, only the euid, so the egid remains as root.

It seems to me that the gid should be set sensibly if only the user is specified, rather than the default of root.

2b. Demo

I’ve used the following contrived manifest to demonstrate these two issues leave us with group privs, but I haven’t thought of a reasonable way to exploit this under normal conditions.

ssh_authorized_key { “test”: ensure => present, key => “AAAA”, type => “ssh-rsa”, user => “nobody”, target => “/tmp/suidbug/file”, }

Then:

mkdir /tmp/suidbug

touch /tmp/suidbug/file

chmod -R g+w /tmp/suidbug

ll /tmp/suidbug/file

-rw-rw-r—. 1 root root 0 Feb 4 20:17 /tmp/suidbug/file

puppet apply sshauthkeys.pp

notice: /Stage[main]//Ssh_authorized_key[test]/ensure: created err: /Stage[main]//Ssh_authorized_key[test]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /tmp/suidbug/file: Permission denied – /tmp/suidbug/file notice: Finished catalog run in 0.03 seconds

ll /tmp/suidbug/file

-rw-rw-r—. 1 root root 196 Feb 4 20:19 /tmp/suidbug/file

cat /tmp/suidbug/file

HEADER: This file was autogenerated at Sat Feb 04 20:19:04 +0100 2012

HEADER: by puppet. While it can still be managed manually, it

HEADER: is definitely not recommended.

ssh-rsa AAAA test

2c. Fixing

I’ve attached a suggested patch for the two problems, where I tried to address this quickly by changing the asuser method so it changes the egid to the primary gid if a gid isn’t explicitly given. I’ve now realised that the change_user method is sometimes called directly so asuser is bypassed, e.g. in execute_posix (lib/puppet/util.rb).

Some more work needs to be done here to either change everything to go through asuser, or to find a way to secure direct use of change_user too. The patch is incomplete!

History

#1 Updated by Anonymous almost 3 years ago

  • Branch set to https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security

https://github.com/puppetlabs/puppet-cve-test/commits/security/2.6.x/suidmanager-security should have the changes supplied by Dominic split apart, tests added, and ready to go against 2.6.x.

#2 Updated by Jason McKerr almost 3 years ago

  • Assignee changed from Jason McKerr to Deepak Giridharagopal

#4 Updated by Matthaus Owens almost 3 years ago

  • Status changed from Accepted to Closed
  • Target version set to 2.7.11
  • Private changed from Yes to No

Released in 2.6.14, 2.7.11

Also available in: Atom PDF