https://bugzilla.suse.com/show_bug.cgi?id=1202934 https://bugzilla.suse.com/show_bug.cgi?id=1202934#c1 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED Group|SUSE Security Internal, | |novellonly | Assignee|jsegitz@suse.com |asn@cryptomilk.org Summary|AUDIT-1: powerline: |AUDIT-FIND: powerline: |powerline-daemon running as |powerline-daemon running as |root with poor programming |root with poor programming |practices (fixed pid file |practices |in /tmp) | --- Comment #1 from Johannes Segitz <jsegitz@suse.com> --- I had a look at this. On Linux the path in /tmp isn't used since they're guarded by 33 USE_FILESYSTEM = not sys.platform.lower().startswith('linux') in /usr/bin/powerline-daemon I opened https://github.com/powerline/powerline/issues/2217 to get upstream to address this on other systems. On openSUSE the daemon is run as root. This is problematic and also not really helpful. Users can use this to trigger read operations to arbitrary files: POC: start powerline daemon, then: cd /home/johannes ln -s /etc/shadow config.json POWERLINE_CONFIG_PATHS=/home/johannes powerline --socket powerline-ipc-0 pdb left This will cause an error as /etc/shadow is not valid json, but it causes a read as root which could be abused to e.g. trigger devices. I tried to find a nicer exploitation path, but apart from leaking information out of the root environment I couldn't find a suitable target, but I wouldn't rule out that there's also the chance for code execution given that you can influence the configuration to a high degree. The current service isn't helpful anyway. Have a look at https://github.com/joeroback/powerline/tree/be4ee01c4e5a5a4c655dbefd4e4621ca... on how it could be changed -- You are receiving this mail because: You are on the CC list for the bug.