Your message dated Sun, 14 Jun 2020 01:03:45 +0000 with message-id <e1jkh3p-000hpg...@fasolo.debian.org> and subject line Bug#868190: fixed in gatling 0.13-6.1 has caused the Debian Bug report #868190, regarding gatling: -u <uid> is silently ignored if <uid> is a username rather than a numeric user id to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 868190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868190 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gatling Version: 0.13-6+b1 Justification: 5.b Severity: serious Tags: security Dear Maintainers, Dropping privileges fails silently if -u is used with a username rather than a numeric user id. Such usage is even recommended in both the manpage and /etc/default/gatling. Any CGI script is consequently run as root (though chrooted - but a chroot is not a jail for root processes). Concretely, requesting "http://127.0.0.1/test.cgi";, from the following server will run /var/www/default/test.cgi as root: gatling -v -D -S -F -U -u nobody -c /var/www -C "^/test\\.cgi$" While this server will run it as user nobody: gatling -v -D -S -F -U -u 65534 -c /var/www -C "^/test\\.cgi$" Note that "-u nobody" is the recommended usage in manpage and /etc/default/gatling. Reproducing this is a bit cumbersome: # apt-get install busybox-static # mkdir /var/www/.bin # cp -al /bin/busybox /var/www/.bin/ # cat > /var/www/default/test.cgi << EOF #!/.bin/busybox sh cat << EOHDR Status: 200 Content-Type: text/plain; charset=UTF-8 Hallo Welt ========== EOHDR /.bin/busybox id echo "---" cat /secret.txt echo "---" EOF # echo "A SECRET HAS BEEN UNVEILED" > /var/www/secret.txt # chmod 0600 /var/www/secret.txt # chmod 0755 /var/www/default/test.cgi # touch /var/www/default/.proxy # gatling -v -D -S -F -U -u nobody -c /var/www -C "^/test\\.cgi$" $ curl "http://127.0.0.1/test.cgi"; The result shows that the CGI process is run with uid=0 and clearly has read access to /var/www/secret.txt. As is common knowledge, by mounting proc inside the chroot and accessing /proc/1/root/, the process can then escape the chroot. Note that using busybox is only one way to get non-compiled CGIs work in a chroot in the first place and is not a requirement for the bug to be exploited. The only requirement is a security hole in a CGI (which is, after all, quite common, which is why webservers drop privileges in the first place). I suggest the following procedures, in that order: - Fixing manpage and /etc/default/gatling to match actual behaviour - making gatling throw an error if the uid is non-numeric - implementing actual user name lookup and then reverting the above two. Yours Thomas Kremer -- System Information: Debian Release: 8.8 APT prefers oldstable APT policy: (700, 'oldstable'), (500, 'oldoldstable'), (450, 'stable'), (400, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages gatling depends on: ii libc6 2.19-18+deb8u10 ii libmbedcrypto0 2.4.2-1 ii libmbedtls10 2.4.2-1 ii libmbedx509-0 2.4.2-1 ii libowfat0 0.29-4 ii libssl1.1 1.1.0f-3 ii zlib1g 1:1.2.8.dfsg-2+b1 gatling recommends no packages. gatling suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: gatling Source-Version: 0.13-6.1 Done: Fabio Dos Santos Mendes <fmen...@protonmail.ch> We believe that the bug you reported is fixed in the latest version of gatling, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 868...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Fabio Dos Santos Mendes <fmen...@protonmail.ch> (supplier of updated gatling package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 09 Jun 2020 23:50:32 -0300 Source: gatling Architecture: source Version: 0.13-6.1 Distribution: unstable Urgency: medium Maintainer: Vedran Furač <vedran.fu...@gmail.com> Changed-By: Fabio Dos Santos Mendes <fmen...@protonmail.ch> Closes: 868190 Changes: gatling (0.13-6.1) unstable; urgency=medium . * Non-maintainer upload. * debian/patches/11-silently-ignore-uid-as-username-fix.patch: fix when using -u parameter with username rather then a numeric user id. Thanks to Thomas Kremer <bugs.deb...@xorg.c-informatik.de>. (Closes: #868190) Checksums-Sha1: 9ae0c691cb29440b8e07ceab2d6052f05430f9b9 1819 gatling_0.13-6.1.dsc 346d891edfa15e479eb6e9d69fc3042cfc6db1e3 14500 gatling_0.13-6.1.debian.tar.xz 2494124d5438bb1bb59e52a5e457186abf0d66dc 5595 gatling_0.13-6.1_source.buildinfo Checksums-Sha256: 5aade2609ab92cbb898dcc7635ce0043ead7d5565f346c851dcd1409c19c51ad 1819 gatling_0.13-6.1.dsc f7846b6e97a4297e5d796bf0d67bfa6563ae426457d9572695ce883f61b286c3 14500 gatling_0.13-6.1.debian.tar.xz 9a641f0d895eac92b45b24378ad623042ce1b4d02e6e3e68f781b3eee21cd220 5595 gatling_0.13-6.1_source.buildinfo Files: e3ac6a4053ba673c7d0693785a895e13 1819 net optional gatling_0.13-6.1.dsc 99e386a24aa79a5181602dc2254036b1 14500 net optional gatling_0.13-6.1.debian.tar.xz ea14c5252b68554f20360d7a9e4dac74 5595 net optional gatling_0.13-6.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEs/UaJxJhnD7NdLjheElO9yN1pmwFAl7herUACgkQeElO9yN1 pmzMsA/6A0Aw3eow2XsZ2/ggdE3fqTbs3Tu35ClpcoqGx0GSwIFnTyE0G45b1nXX mFu+vgZ3Qd1qO/bLLCfHRF7IH4b9B+BUPb3NDzQyZxPvoXH0sCuO4awh4jbaFNcW /1b8dS0+xaAWRJt9iVver+NDGWLzmgjHpZyKcEeT10b3urcOCJAX+vu73egi6LCa djm6KPSbwa4ERl+TpSvibxjrLJCRnTlUGk0yB66estn+GdAN4i0rtvFpirIz+V3M ue1Yr1SHxkFN5SObFJQp3l0mGyYV70X21yypv7Nw7Bg8p1fIIp10zHGhtRzM/qLz 7zR1V6PnohhzYmLSJlYXvKpVqjL4Gg9yVy2VANJQuvSGvQbN5izvrpDC3eK4PJes k0+8ReQ9/KC6KLPebl7aXwIGtfkTV2h9GbyIoYlN5Hory6UzpEf2iP4V0zF8AzzW 5e827Q/cv3F2pv4QNSFVJlp3SD+VIk52Oy4h29CQZrT2RHm1WtjWqp+tidZwU4/E uiaOwPcL5yuDyHtuLgO6RTdDQzuqZMyyDnIWNgHvpTegnvya0dekZRp6H3ZOHs2d jGafTBKWwLWWaF/vkAbo0Q/ol4qqCM3OiAiKMKldzAi3qTqDGFf8D0m6aQlP7kYP 4k+MBOL1VhuIOsASIdjxaUYAn3VilWToyuKhuey2ZNFjYHcJMvc= =CTwr -----END PGP SIGNATURE-----
--- End Message ---
