Bug#897366: monkeysphere: update-users is paranoid; locks out users unnecessarily

Tue, 01 May 2018 09:00:35 -0700 

Package: monkeysphere
Version: 0.41-1
Severity: important
Tags: upstream

Dear Maintainer,

`/usr/share/monkeysphere/ma/update_users` deletes the managed authorised_keys 
file in the case of error,
even when that error has no possible security impact. The offending code is 
here:

```
            chown $(whoami) "$tmpAuthorizedKeys" && \
                chgrp $(id -g "$uname") "$tmpAuthorizedKeys" && \
                chmod g+r "$tmpAuthorizedKeys" && \
                mv -f "$tmpAuthorizedKeys" "${authorizedKeysDir}/${uname}" || \
                {
                log error "Failed to install authorized_keys for '$uname'!"
                rm -f "${authorizedKeysDir}/${uname}"
                # indicate that there has been a failure:
                returnCode=1
            }
```

Any error whatsoever in this pipeline will cause `rm -f 
"${authorizedKeysDir}/${uname}"` to be invoked,
potentially locking out the affected user. A transient filesystem error can 
easily cause all users of a
system to be locked out simultaneously, e.g. if /var fills up. This has 
happened to me several times.

Are you sure you want to remove the *live* authorized_keys file in case of 
error? Not the temp one? I don't
understand how a failed `mv` in this case could cause a security issue serious 
enough to warrant disabling 
a login method.

Andrew.


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'unstable'), (500, 'stable-updates'), 
(500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_IE:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages monkeysphere depends on:
ii  adduser                           3.117
ii  gnupg                             2.2.5-1
ii  libcrypt-openssl-rsa-perl         0.28-5+b1
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-7
ii  libperl5.26 [libdigest-sha-perl]  5.26.2-2
ii  lockfile-progs                    0.1.17+b1
ii  procmail                          3.22-26

Versions of packages monkeysphere recommends:
ii  agent-transfer               0.41-1
ii  cron [cron-daemon]           3.0pl1-130
ii  netcat-traditional [netcat]  1.10-41.1
ii  openssh-client               1:7.7p1-2
ii  ssh-askpass                  1:1.2.4.1-10

Versions of packages monkeysphere suggests:
ii  msva-perl [monkeysphere-validation-agent]  0.9.2-1

-- Configuration Files:
/etc/monkeysphere/monkeysphere-authentication.conf changed:
AUTHORIZED_USER_IDS="/etc/monkeysphere/authorized_user_ids/%u"
RAW_AUTHORIZED_KEYS='/etc/security/authorized_keys/%u'

/etc/monkeysphere/monkeysphere.conf changed:
KEYSERVER=localhost


-- no debconf information

Reply via email to