a0237c905a
- drop 0001-Port-Qt5-deprecated-methods.patch (upstream) OBS-URL: https://build.opensuse.org/package/show/security/scap-workbench?expand=0&rev=35
131 lines
4.3 KiB
Diff
131 lines
4.3 KiB
Diff
From 000889f30583d8e8bb956c665b9f60a12a4a56d8 Mon Sep 17 00:00:00 2001
|
|
From: Matthias Gerstner <matthias.gerstner@suse.de>
|
|
Date: Thu, 19 Jul 2018 12:27:46 +0200
|
|
Subject: [PATCH] pkexec: avoid potential local root exploit by using
|
|
PKEXEC_UID and sudo
|
|
|
|
If an admin relaxes the required polkit authentication for running
|
|
scap-workbench-oscap.sh from auth_admin to auth_self or yes, then the
|
|
current implementation of the wrapper script allows for a local root
|
|
exploit.
|
|
|
|
A command line like this would overwrite /etc/shadow with a file owned
|
|
by the non-privileged user:
|
|
|
|
pkexec --disable-internal-agent /usr/lib64/scap-workbench/scap-workbench-oscap.sh 1000 100 \
|
|
xccdf eval --profile Default --oval-results --results /etc/shadow \
|
|
--results-arf /tmp/scap.results.arf --report /tmp/scap.report \
|
|
--progress /usr/share/openscap/scap-yast2sec-xccdf.xml
|
|
|
|
The copying of the target files needs to be done in the context of the
|
|
unprivileged user to prevent any symlink attacks or maliciously
|
|
specified paths. This is done by using sudo as a frontend to cp.
|
|
|
|
Also the user should not pass his own uid and gid. This would allow to
|
|
change ownership of files to arbitrary other users. Instead pkexec
|
|
offers the PKEXEC_UID environment variable which contains the uid of the
|
|
authenticated user. The gid can be derived from the uid.
|
|
---
|
|
scap-workbench-oscap.sh | 32 ++++++++++++++++++++++++--------
|
|
scap-workbench-pkexec-oscap.sh | 7 ++-----
|
|
2 files changed, 26 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/scap-workbench-oscap.sh b/scap-workbench-oscap.sh
|
|
index 90664446c594..6f720ded54a8 100755
|
|
--- a/scap-workbench-oscap.sh
|
|
+++ b/scap-workbench-oscap.sh
|
|
@@ -25,14 +25,15 @@ trap "" SIGHUP SIGINT
|
|
# valuable gets skipped
|
|
echo "Dummy text" 1>&2
|
|
|
|
-wrapper_uid=$1
|
|
-shift
|
|
-wrapper_gid=$1
|
|
-shift
|
|
+# prevent world-readable files being created
|
|
+umask 0007
|
|
|
|
real_uid=`id -u`
|
|
real_gid=`id -g`
|
|
|
|
+wrapper_uid=${PKEXEC_UID:-${real_uid}}
|
|
+wrapper_gid=$(id -g ${wrapper_uid})
|
|
+
|
|
TEMP_DIR=`mktemp -d`
|
|
|
|
args=("$@")
|
|
@@ -84,19 +85,34 @@ RET=$?
|
|
|
|
popd > /dev/null
|
|
|
|
+# only copy files with the target user's permissions via sudo if we're running
|
|
+# privileged, otherwise he can trick us into overwriting arbitrary files
|
|
+do_chown=false
|
|
+if [ $wrapper_uid -ne $real_uid ] || [ $wrapper_gid -ne $real_gid ]; then
|
|
+ do_chown=true
|
|
+fi
|
|
+
|
|
function chown_copy
|
|
{
|
|
local what="$1"
|
|
local where="$2"
|
|
|
|
- [ ! -f "$what" ] || cp "$what" "$where"
|
|
+ [ -f "$what" ] || return
|
|
|
|
- # chown only required if wrapper_{uid,gid} differs from real_{uid,gid}
|
|
- if [ $wrapper_uid -ne $real_uid ] || [ $wrapper_gid -ne $real_gid ]; then
|
|
- chown $wrapper_uid:$wrapper_gid "$where"
|
|
+ if $do_chown; then
|
|
+ chown $wrapper_uid:$wrapper_gid "$what"
|
|
+ sudo -u "#${wrapper_uid}" cp "$what" "$where"
|
|
+ else
|
|
+ cp "$what" "$where"
|
|
fi
|
|
}
|
|
|
|
+if $do_chown; then
|
|
+ # don't grant the user ownership of or write access to the directory,
|
|
+ # otherwise he could trick us by replacing the files with symlinks
|
|
+ chmod o+rx "${TEMP_DIR}"
|
|
+fi
|
|
+
|
|
chown_copy "$TEMP_DIR/results-xccdf.xml" "$TARGET_RESULTS_XCCDF"
|
|
chown_copy "$TEMP_DIR/results-arf.xml" "$TARGET_RESULTS_ARF"
|
|
chown_copy "$TEMP_DIR/report.html" "$TARGET_REPORT"
|
|
diff --git a/scap-workbench-pkexec-oscap.sh b/scap-workbench-pkexec-oscap.sh
|
|
index 1ae83296b83b..a8d9b2bd84cb 100755
|
|
--- a/scap-workbench-pkexec-oscap.sh
|
|
+++ b/scap-workbench-pkexec-oscap.sh
|
|
@@ -18,9 +18,6 @@
|
|
|
|
set -u -o pipefail
|
|
|
|
-uid=`id -u`
|
|
-gid=`id -g`
|
|
-
|
|
PARENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
|
|
|
PKEXEC_PATH="pkexec"
|
|
@@ -29,7 +26,7 @@ SCAP_WORKBENCH_OSCAP="$PARENT_DIR/scap-workbench-oscap.sh"
|
|
# We run unprivileged if pkexec was not found.
|
|
#which $PKEXEC_PATH > /dev/null || exit 1 # fail if pkexec was not found
|
|
|
|
-$PKEXEC_PATH --disable-internal-agent "$SCAP_WORKBENCH_OSCAP" $uid $gid "$@" 2> >(tail -n +2 1>&2)
|
|
+$PKEXEC_PATH --disable-internal-agent "$SCAP_WORKBENCH_OSCAP" "$@" 2> >(tail -n +2 1>&2)
|
|
EC=$?
|
|
|
|
# 126 is a special exit code of pkexec when user dismisses the auth dialog
|
|
@@ -38,7 +35,7 @@ EC=$?
|
|
# This is common in niche desktop environments.
|
|
if [ $EC -eq 126 ] || [ $EC -eq 127 ]; then
|
|
# in case of dismissed dialog we run without super user rights
|
|
- "$SCAP_WORKBENCH_OSCAP" $uid $gid "$@" 2> >(tail -n +2 1>&2);
|
|
+ "$SCAP_WORKBENCH_OSCAP" "$@" 2> >(tail -n +2 1>&2);
|
|
exit $?
|
|
fi
|
|
|
|
--
|
|
2.26.0
|
|
|