[Bug 843230] New: VUL-0: root occasionaly gets group=100(users)
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c0 Summary: VUL-0: root occasionaly gets group=100(users) Classification: openSUSE Product: openSUSE Factory Version: 13.1 Beta 1 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: meissner@suse.com ReportedBy: meissner@suse.com QAContact: qa-bugs@suse.de CC: coolo@suse.com, security-team@suse.de, crrodriguez@opensuse.org Found By: --- Blocker: --- root occasionaly gets group=100(users) instead of group=0(root) which is a security problem. It is unclear how this happens. New installs of 13.1 Beta do not seem to do that. Upgrades / Updates seem to do it, but it is unclear which ones do. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c1 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium --- Comment #1 from Swamp Workflow Management <swamp@suse.de> 2013-09-30 22:00:24 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c2 --- Comment #2 from Cristian Rodríguez <crrodriguez@opensuse.org> 2013-09-30 19:34:58 CLT --- Unfortunately I do not have an hypotesis about this issue, but "look ma!" after the last 13.1 upgrade.. # id uid=0(root) gid=0(root) groups=0(root),64(pkcs11) Root is added to the pkcs11 group ! something seems to be wrong with either rpm scriptlets that add users or with useradd itself. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c3 Robin Jacobs <broederjacobs@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |broederjacobs@gmail.com --- Comment #3 from Robin Jacobs <broederjacobs@gmail.com> 2013-12-06 17:14:24 UTC --- OpenSUSE 13.1 x86_64 KDE The same happened 2 of my OpenSUSE installations (all the same ISO), will check later to verify on my old laptop running OpenSUSE 13.1 x86_64 Gnome. Incidentially, this is on the Raspberry Pi images; raspberrypi:~ # ll /etc/shadow -rw-r--r-- 1 root root 468 Dec 4 18:42 /etc/shadow This looks bad. Can anyone confirm? Should I file a separate bug report for this? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c4 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> 2013-12-06 22:11:07 CET --- (In reply to comment #3)
Incidentially, this is on the Raspberry Pi images; raspberrypi:~ # ll /etc/shadow -rw-r--r-- 1 root root 468 Dec 4 18:42 /etc/shadow This looks bad. Can anyone confirm? Should I file a separate bug report for this?
Yes, that's worth a separate bugreport. For the problem of having the wrong group for root -IIRC useradd, usermod etc. are logging to syslog what they are doing. Can the poeple who have the problem please grep their logs for it please? I'd try grep "root.*users" (or, as general command, grep "root.*$GROUP") Another way might be to add a watch on /etc/passwd and /etc/group with auditctl before starting the update, and to hope that the bug will appear. In any case, you should relate the timestamp to something in /var/log/zypp/history. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c5 Bernhard Wiedemann <bwiedemann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bwiedemann@suse.com --- Comment #5 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-12-06 22:16:18 CET --- (In reply to comment #3)
Incidentially, this is on the Raspberry Pi images; raspberrypi:~ # ll /etc/shadow -rw-r--r-- 1 root root 468 Dec 4 18:42 /etc/shadow This looks bad. Can anyone confirm? Should I file a separate bug report for this?
It is a different (also bad) issue. I found that this comes from me using the "build" script that has sed -e "s@^root::@root:*:@" < $BUILD_ROOT/etc/shadow > $BUILD_ROOT/etc/shadow.t && mv $BUILD_ROOT/etc/shadow.t $BUILD_ROOT/etc/shadow I'll workaround it and upload an updated image. https://build.opensuse.org/package/rdiff/devel:ARM:13.1:Contrib:RaspberryPi/altimagebuild?linkrev=base&rev=3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c6 --- Comment #6 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-12-06 23:30:35 CET --- and https://github.com/openSUSE/obs-build/pull/88 For the original issue, I tried an upgrade from minimal 12.3 to 13.1 and everything remained as it should, so this is maybe only triggered by a package in the bigger installs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c7 --- Comment #7 from Robin Jacobs <broederjacobs@gmail.com> 2013-12-06 22:47:45 UTC --- Does not appear to be present in the x86_64 Gnome version. Either that, or it's a pure coincidence. http://www.imgdumper.nl/uploads7/52a2522c64510/52a2522c52416-Screenshot_from... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c8 --- Comment #8 from Robin Jacobs <broederjacobs@gmail.com> 2013-12-06 23:17:28 UTC --- Not sure whether this is related, but on my 13.1 x86_64 Gnome install I added my user to a group using YaST, and now there are *- and *.YaST2save versions of the files. The *- ones have the wrong permissions set, as the main files are on my (more frequently used and updated) KDE installations. /etc/shadow- doesn't appear to contain any passwords, though, so this doesn't appear to be a problem in itself, but is it possible that, at some point, the permissions of shadow and shadow- get swapper (perhaps by YaST)? I'm sorry if this end up not being related to the problem at hand. It's just something I noticed. http://www.imgdumper.nl/uploads7/52a259bda704a/52a259bd83a32-Screenshot_from... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c9 --- Comment #9 from Marcus Meissner <meissner@suse.com> 2013-12-10 16:46:41 UTC --- https://plus.google.com/116508725383293906806/posts/a6ampAZFriG Robin has id root with group 100(users) for some reason -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c10 --- Comment #10 from Robin Jacobs <broederjacobs@gmail.com> 2013-12-10 16:51:24 UTC --- I did a full reinstall today because the operating system got wrecked. Is it possible that this bug is only present in the KDE version, and not the Gnome one? Because... you might've guessed it; robin@linux:~> ls -al /etc/shadow -rw-r----- 1 root users 716 Dec 10 15:29 /etc/shadow This time it was installed with LVM and BTRFS. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c11 --- Comment #11 from Marcus Meissner <meissner@suse.com> 2013-12-10 16:58:09 UTC --- ok, so this appearsd with a fresh 13.1 KDE install? (started from the live media or from dvd?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c12 --- Comment #12 from Robin Jacobs <broederjacobs@gmail.com> 2013-12-10 17:00:07 UTC --- OpenSUSE 13.1 x86_64 KDE Installed from a live USB, but this time I used a different USB drive and re-downloaded the image to make sure that wasn't the problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c13 --- Comment #13 from Marcus Meissner <meissner@suse.com> 2013-12-13 16:45:12 UTC --- Ok, unpacked the KDE 13.1 LIVE ISO In /etc/passwd of the live image I find: root:x:0:100:root:/root:/bin/bash so root is in group users, which it should not be and causes the follow up issues. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c14 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Summary|VUL-0: root occasionaly |VUL-0: |gets group=100(users) |kiwi-config-openSUSE: root | |occasionaly gets | |group=100(users) --- Comment #14 from Marcus Meissner <meissner@suse.com> 2013-12-13 17:02:47 UTC --- and there it is: [ 895s] Nov-06 15:39:35 <1> : EXEC [chroot /usr/src/packages/BUILD/kiwi-image-livecd-kde-13.1/tmp /usr/sbin/usermod -p '' -g users root 2>&1] [ 895s] Nov-06 15:39:35 <1> : Setting owner/group permissions root [users] and its coming from kiwi-config-openSUSE -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c15 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #15 from Marcus Meissner <meissner@suse.com> 2013-12-13 17:05:31 UTC --- i am going to adjust the config.xml.in coolo, can we respin the live images? :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c16 --- Comment #16 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-12-13 19:00:12 CET --- This is an autogenerated message for OBS integration: This bug (843230) was mentioned in https://build.opensuse.org/request/show/210823 Factory:Live / kiwi-config-openSUSE -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c17 --- Comment #17 from Cristian Rodríguez <crrodriguez@opensuse.org> 2013-12-13 15:07:11 CLST --- (In reply to comment #15)
i am going to adjust the config.xml.in
coolo, can we respin the live images? :)
what about releasing an update (in aaa_base ? or "permissions" maybe) removing root from any other group than "root" ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c18 --- Comment #18 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-12-14 09:00:16 CET --- This is an autogenerated message for OBS integration: This bug (843230) was mentioned in https://build.opensuse.org/request/show/210851 Factory / kiwi-config-openSUSE -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c19 --- Comment #19 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-12-17 15:00:21 CET --- This is an autogenerated message for OBS integration: This bug (843230) was mentioned in https://build.opensuse.org/request/show/211213 13.1 / aaa_base https://build.opensuse.org/request/show/211214 Factory / aaa_base -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c20 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-0: |VUL-0: CVE-2013-3713: |kiwi-config-openSUSE: root |aaa_base |occasionaly gets |kiwi-config-openSUSE: root |group=100(users) |occasionaly gets | |group=100(users) Alias| |CVE-2013-3713 --- Comment #20 from Marcus Meissner <meissner@suse.com> 2013-12-17 14:17:26 UTC --- I have assigned: CVE-2013-3713 The image creation configuration incorrectly created the root user with the group "users", which later lead to files being owned by root:users instead of root:root when installing from the live image to a on-disk system. One sample file was /etc/shadow which was mode 640, root:users and so readable for local users. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c21 --- Comment #21 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-12-18 09:00:13 CET --- This is an autogenerated message for OBS integration: This bug (843230) was mentioned in https://build.opensuse.org/request/show/211312 13.1 / aaa_base -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2412:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c22 --- Comment #22 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-12-18 15:00:11 CET --- This is an autogenerated message for OBS integration: This bug (843230) was mentioned in https://build.opensuse.org/request/show/211399 Factory / aaa_base https://build.opensuse.org/request/show/211401 13.1 / aaa_base -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:2412:moderate | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c23 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #23 from Marcus Meissner <meissner@suse.com> 2014-01-09 15:31:03 UTC --- I think we identified and fixed these updates have been released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com