[Touch-packages] [Bug 1784964] [NEW] Regression due to CVE-2018-1116 (processes not inheriting user ID or groups )

[TJ]

Public bug reported:

This report is tracking a possible regression caused by the recent
CVE-2018-1116 patches to policykit-1.

On 18.04, since package upgrades on July 23rd, and after the first
reboot since then on Aug 1st, I hit an issue with the primary (sudo,
adm, etc...) user getting Permission Denied trying to do:

tail -f /var/log/syslog

when that file is owned by syslog:adm and is g=r.

I then found that "groups" reports only the $USER and not the entire
list, but "groups $USER" reports all the groups correctly.

The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g
default-shell /bin/bash"

After changing the user's shell back to /bin/bash and logging in on tty1
the list of groups shows correctly for the /bin/bash process running on
tty1.

I investigated and found that for the affected processes, such as the
tmux process, /proc/$PID/loginuid = 4294967295  whereas the /bin/bash
process on tty1 correctly reported 1000. The same with the respective
gid_map and uid_map.

4294967295 == -1 == 0xFFFFFFFF

The recent CVE patch to policykit has several functions where it does
"uid = -1" which seems to tie in to my findings so far.

** Affects: policykit-1 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1784964

Title:
  Regression due to CVE-2018-1116 (processes not inheriting user ID or
  groups )

Status in policykit-1 package in Ubuntu:
  New

Bug description:
  This report is tracking a possible regression caused by the recent
  CVE-2018-1116 patches to policykit-1.

  On 18.04, since package upgrades on July 23rd, and after the first
  reboot since then on Aug 1st, I hit an issue with the primary (sudo,
  adm, etc...) user getting Permission Denied trying to do:

  tail -f /var/log/syslog

  when that file is owned by syslog:adm and is g=r.

  I then found that "groups" reports only the $USER and not the entire
  list, but "groups $USER" reports all the groups correctly.

  The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g
  default-shell /bin/bash"

  After changing the user's shell back to /bin/bash and logging in on
  tty1 the list of groups shows correctly for the /bin/bash process
  running on tty1.

  I investigated and found that for the affected processes, such as the
  tmux process, /proc/$PID/loginuid = 4294967295  whereas the /bin/bash
  process on tty1 correctly reported 1000. The same with the respective
  gid_map and uid_map.

  4294967295 == -1 == 0xFFFFFFFF

  The recent CVE patch to policykit has several functions where it does
  "uid = -1" which seems to tie in to my findings so far.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp