[Bug 1092269] New: VUL-0: systemd: /etc/machine-id is world-writable
http://bugzilla.suse.com/show_bug.cgi?id=1092269 Bug ID: 1092269 Summary: VUL-0: systemd: /etc/machine-id is world-writable Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: systemd-maintainers@suse.de Reporter: kbabioch@suse.com QA Contact: qa-bugs@suse.de CC: astieger@suse.com, lnussel@suse.com, matthias.gerstner@suse.com, security-team@suse.de Found By: Security Review Board Blocker: --- This was originally discovered by Matthias Gerstner during a security audit of Leap 15.0 (bug #1090647): /etc/machine-id is world-writeable which is probably not what was intended. The reason is found in the systemd spec file: if [ $1 -eq 1 ]; then touch %{_sysconfdir}/machine-id chmod 666 %{_sysconfdir}/machine-id fi Should be fixed ASAP, since having system configuration world-writable is a bad idea. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1092269
http://bugzilla.suse.com/show_bug.cgi?id=1092269#c1
--- Comment #1 from Karol Babioch
http://bugzilla.suse.com/show_bug.cgi?id=1092269
http://bugzilla.suse.com/show_bug.cgi?id=1092269#c2
--- Comment #2 from Matthias Gerstner
At least on Tumbleweed (20180420) this is also an issue.
And on SLE-15 actually. The same codestream. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1092269
http://bugzilla.suse.com/show_bug.cgi?id=1092269#c3
--- Comment #3 from Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1092269
Ludwig Nussel
http://bugzilla.suse.com/show_bug.cgi?id=1092269
http://bugzilla.suse.com/show_bug.cgi?id=1092269#c4
Thomas Blume
I am not exactly sure how the machine-id business is supposed to work, from the spec file it sounds like it is a kind of two stage process where some other component is responsible for "fixing up" the file.
Can you please find a solution that avoids having this file world writeable in the first place?
That had been introduced here: https://build.opensuse.org/request/show/479267 but I don't see any reason making it world writable. The upstream code (src/core/machine-id-setup.c) shows even 444 as permissions: --> int machine_id_setup(const char *root, sd_id128_t machine_id, sd_id128_t *ret) { const char *etc_machine_id, *run_machine_id; _cleanup_close_ int fd = -1; bool writable; int r; etc_machine_id = prefix_roota(root, "/etc/machine-id"); RUN_WITH_UMASK(0000) { /* We create this 0444, to indicate that this isn't really * something you should ever modify. Of course, since the file * will be owned by root it doesn't matter much, but maybe * people look. */ (void) mkdir_parents(etc_machine_id, 0755); fd = open(etc_machine_id, O_RDWR|O_CREAT|O_CLOEXEC|O_NOCTTY, 0444); --< Still, considering the original commit, I guess we'd need to make it 644. Ludwig, since you were involved in bug#1024740, I guess you are the best to comment on that, any objection? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1092269
http://bugzilla.suse.com/show_bug.cgi?id=1092269#c5
Ludwig Nussel
http://bugzilla.suse.com/show_bug.cgi?id=1092269
http://bugzilla.suse.com/show_bug.cgi?id=1092269#c6
--- Comment #6 from Thomas Blume
I'm sure I didn't ask for 666. 444 as upstream does it should be fine as well as root has CAP_DAC_OVERRIDE.
Ok, thanks, the original 666 was only done during initial package installation but I guess we need to change that also for running systems. Unfortunately, I don't see any possibility to distinguish if the permissions of machine-id were set during package installation or from the user by purpose. So, I guess we can only change it to ro now and be aware that there might be some complaints. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1092269
http://bugzilla.suse.com/show_bug.cgi?id=1092269#c7
--- Comment #7 from Ludwig Nussel
http://bugzilla.suse.com/show_bug.cgi?id=1092269
http://bugzilla.suse.com/show_bug.cgi?id=1092269#c8
--- Comment #8 from Thomas Blume
I assume nobody sane would set /etc/machine-id to 666 :-) Existing installations could be forced to a specific mode after the fact via /etc/permissions
Ok, here is the submission: https://build.opensuse.org/request/show/605312 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1092269
http://bugzilla.suse.com/show_bug.cgi?id=1092269#c11
--- Comment #11 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com