[pkg-ntp-maintainers] Bug#889488: ntp: root escalation from ntp user on kernels that do not have fs.protected_hardlinks=1

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Feb 3 20:00:21 UTC 2018 

Source: ntp
Version: 1:4.2.8p10+dfsg-6
Severity: normal
Control: found -1 1:4.2.8p10+dfsg-3+deb9u1
Control: tags -1 + security patch

ntp.postinst contains:

if [ "$1" = "configure" ]; then
        addgroup --system --quiet ntp
        adduser --system --quiet --ingroup ntp --no-create-home ntp
        chown -R ntp:ntp /var/lib/ntp /var/log/ntpstats
fi

This means that upon package configuration, there will be a recursive
chown of the contents of /var/lib/ntp and /var/log/ntpstats to be
owned by the ntp user.

if the ntp user account is compromised, and the kernel is running
without fs.protected_hardlinks=1, then it can link to arbitrary files
on the same filesystem as these two directories, and wait for a
package upgrade to gain ownership of them.

This problem exists in debian stable and debian unstable.  it probably
goes back a long way.

It can be fixed simply by making this chown non-recursive:

diff --git a/debian/ntp.postinst b/debian/ntp.postinst
index 71d1139..228c16a 100644
--- a/debian/ntp.postinst
+++ b/debian/ntp.postinst
@@ -21,7 +21,7 @@ fi
 if [ "$1" = "configure" ]; then
 	addgroup --system --quiet ntp
 	adduser --system --quiet --ingroup ntp --no-create-home --home /nonexistent ntp
-	chown -R ntp:ntp /var/lib/ntp /var/log/ntpstats
+	chown ntp:ntp /var/lib/ntp /var/log/ntpstats
 
 	# Bug#863857, the experimental version shipped a broken systemd wrapper
 	# writing a bogus PIDFILE on the root partition


Thanks for maintaining ntp in debian!

       --dkg


-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the pkg-ntp-maintainers mailing list