Bug ID | 1065951 |
---|---|
Summary | systemd service Type=forking and PIDFile privilege escalation |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 42.3 |
Hardware | All |
OS | openSUSE 42.3 |
Status | NEW |
Severity | Major |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | wullinger@rz.uni-kiel.de |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Created attachment 746593 [details]
Example service code
When creating a systemd service with Type=forking and PIDFile=, there seems to
be a privilege escalation that makes it possible to have the service manager
kill an arbitrary (maybe privileged) process with information from a
non-privileged process.
Example:
Define a service as follows, where $TARGET_PID is the PID of a root owned
process. /opt/test/escalator forks and writes the specified PID into a file.
# /etc/systemd/system/escalator.service
[Service]
Type=forking
PIDFile=/run/escalator/pid
ExecStart=/opt/test/escalator $TARGET_PID
RuntimeDirectory=escalator
User=nobody
Group=nogroup
If one starts such a unit, systemd will notice if the specified target PID is
not a direct descendent of the service manager:
systemd[1]: escalator.service: Supervising process $TARGET_PID which is not our
child. We'll most likely not notice when it exits.
It will, however, kill the target PID on when the unprivileged unit is stopped.
The target PID may be running with higher privileges than the stopped unit, it
seems possible to have systemd kill arbitrary processes with information from a
non-privileged process.