[pkg-ntp-maintainers] Bug#889488: ntp: root escalation from ntp user on kernels that do not have fs.protected_hardlinks=1
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat Feb 3 20:00:21 UTC 2018
Source: ntp
Version: 1:4.2.8p10+dfsg-6
Severity: normal
Control: found -1 1:4.2.8p10+dfsg-3+deb9u1
Control: tags -1 + security patch
ntp.postinst contains:
if [ "$1" = "configure" ]; then
addgroup --system --quiet ntp
adduser --system --quiet --ingroup ntp --no-create-home ntp
chown -R ntp:ntp /var/lib/ntp /var/log/ntpstats
fi
This means that upon package configuration, there will be a recursive
chown of the contents of /var/lib/ntp and /var/log/ntpstats to be
owned by the ntp user.
if the ntp user account is compromised, and the kernel is running
without fs.protected_hardlinks=1, then it can link to arbitrary files
on the same filesystem as these two directories, and wait for a
package upgrade to gain ownership of them.
This problem exists in debian stable and debian unstable. it probably
goes back a long way.
It can be fixed simply by making this chown non-recursive:
diff --git a/debian/ntp.postinst b/debian/ntp.postinst
index 71d1139..228c16a 100644
--- a/debian/ntp.postinst
+++ b/debian/ntp.postinst
@@ -21,7 +21,7 @@ fi
if [ "$1" = "configure" ]; then
addgroup --system --quiet ntp
adduser --system --quiet --ingroup ntp --no-create-home --home /nonexistent ntp
- chown -R ntp:ntp /var/lib/ntp /var/log/ntpstats
+ chown ntp:ntp /var/lib/ntp /var/log/ntpstats
# Bug#863857, the experimental version shipped a broken systemd wrapper
# writing a bogus PIDFILE on the root partition
Thanks for maintaining ntp in debian!
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the pkg-ntp-maintainers
mailing list