Bug ID 1065951
Summary systemd service Type=forking and PIDFile privilege escalation
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.3
Hardware All
OS openSUSE 42.3
Status NEW
Severity Major
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter wullinger@rz.uni-kiel.de
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 746593 [details]
Example service code

When creating a systemd service with Type=forking and PIDFile=, there seems to
be a privilege escalation that makes it possible to have the service manager
kill an arbitrary (maybe privileged) process with information from a
non-privileged process.

Example:

Define a service as follows, where $TARGET_PID is the PID of a root owned
process. /opt/test/escalator forks and writes the specified PID into a file.

# /etc/systemd/system/escalator.service
[Service]
Type=forking
PIDFile=/run/escalator/pid
ExecStart=/opt/test/escalator $TARGET_PID
RuntimeDirectory=escalator
User=nobody
Group=nogroup

If one starts such a unit, systemd will notice if the specified target PID is
not a direct descendent of the service manager:

systemd[1]: escalator.service: Supervising process $TARGET_PID which is not our
child. We'll most likely not notice when it exits.

It will, however, kill the target PID on when the unprivileged unit is stopped. 

The target PID may be running with higher privileges than the stopped unit, it
seems possible to have systemd kill arbitrary processes with information from a
non-privileged process.

You are receiving this mail because: