Bug#504516: marked as done (/usr/local/lib is writable by group staff and in default search path)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 25 Jul 2009 06:20:30 -0700
with message-id <20090725132030.GV12392@volo.donarmstrong.com>
and subject line Re: Call for votes (was: Bug#484841: staff group root equivalence)
has caused the Debian Bug report #484841,
regarding /usr/local/lib is writable by group staff and in default search path
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
484841: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484841
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: libc6 package allows for a potential root compromise to users in 'staff' group
• From: Milen Rangelov <gat3way@gat3way.eu>
• Date: Tue, 4 Nov 2008 20:07:27 +0200
• Message-id: <200811042007.27111.gat3way@gat3way.eu>

Package: libc6
Version: 2.7-15

Hello. I just noticed that the libc6 package included into the unstable and 
testing repositories has a misconfiguration that can potentially lead to a 
root compromise by any local user that belongs to 'staff' group (or that is 
able to write in /usr/local/lib somehow).

The problem is in that file: 
/etc/ld.so.conf.d/libc.conf

which contains:
# libc default configuration
/usr/local/lib

And the /usr/local/lib is writable by users in staff group by default.

While that group is intended to users that can compile/install software 
locally and do not need superuser rights, this thing will eventually grant 
them root privs quite easily.

If I am an intruder and got 'staff' group rights I would:

* compile a shared library named like some real one in /lib, declare some 
function which is declared in the real /lib one which executes arbitrary 
code.
* The library should imitate one that a suidroot binary is linked against
* wait until the superuser install a new .deb package or updates the system 
(since many .deb packages do a ldconfig in their post-install phase).
* execute the setuid binary and have my arbitrary code run with superuser 
privileges.

I have described a similar scenario there (sorry, it's not in English, but it 
should be kinda graspable):

http://www . gat3way . 
eu/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=6&cntnt01returnid=15

(cut the spaces in the URL).

It actually imitates the libselinux library and exploits the gpasswd to create 
a root-owned, suid setuid() wrapper for /bin/bash.

Hope that helps.

--- End Message ---

--- Begin Message ---

• To: 484841-done@bugs.debian.org
• Subject: Re: Call for votes (was: Bug#484841: staff group root equivalence)
• From: Don Armstrong <don@debian.org>
• Date: Sat, 25 Jul 2009 06:20:30 -0700
• Message-id: <20090725132030.GV12392@volo.donarmstrong.com>
• Mail-followup-to: 484841-done@bugs.debian.org
• In-reply-to: <[🔎] 20090725080651.GC5279@dario.dodds.net>
• References: <871vtgcrmi.fsf@windlord.stanford.edu> <20090302084821.GT14650@volo.donarmstrong.com> <1236013065.5962.83.camel@rover.gag.com> <87r61fwyso.fsf@anzu.internal.golden-gryphon.com> <20090302205537.GV14650@volo.donarmstrong.com> <[🔎] 20090706204652.GA19768@mails.so.argh.org> <[🔎] 877hylo4rv.fsf@windlord.stanford.edu> <[🔎] 20090712135039.GB19768@mails.so.argh.org> <[🔎] 20090724165501.GC19768@mails.so.argh.org> <[🔎] 20090725080651.GC5279@dario.dodds.net>

unmerge 504516
clone 484841 -1
reassign -1 debian-policy
reopen -1
merge 484841 504516
thanks

On Sat, 25 Jul 2009, Steve Langasek wrote:
> On Fri, Jul 24, 2009 at 06:55:01PM +0200, Andreas Barth wrote:
> > I'm calling on votes now for these three options (the last one isn't a
> > proposal, but by default in the option set). According to the
> > consitution, the voting periode last for up to one week, or until the
> > outcome is no longer in doubt.
> 
> > | 1. Keep /usr/local writeable by group staff (i.e. leave things as they
> > | are).
> 
> > | 2. Decide to change the default so that /usr/local is not writeable by
> > | group staff anymore. This change should only be implemented after an
> > | appropriate transition plan exists which enables system administrators
> > | to maintain the ability of group staff to write to /usr/local.
> > | (Reasons for the change are the adaption of other tools like sudo on
> > | most sites, and the concept of "least surprise" for novice users.)
> 
> > | 3. Further discussion.
> 
> I vote: 2 1 3

With this I believe that option 2 has prevailed (four in favor, one
against, with 2 having yet to vote):

    2. Decide to change the default so that /usr/local is not
    writeable by group staff anymore. This change should only be
    implemented after an appropriate transition plan exists which
    enables system administrators to maintain the ability of group
    staff to write to /usr/local. (Reasons for the change are the
    adaption of other tools like sudo on most sites, and the concept
    of "least surprise" for novice users.)

I have changed the webwml for the tech-ctte, and am closing the bug
with this message.


Don Armstrong

-- 
Personally, I think my choice in the mostest-superlative-computer wars
has to be the HP-48 series of calculators.  They'll run almost
anything.  And if they can't, while I'll just plug a Linux box into
the serial port and load up the HP-48 VT-100 emulator.
 -- Jeff Dege, jdege@winternet.com

http://www.donarmstrong.com              http://rzlab.ucr.edu

--- End Message ---