Hello community, here is the log from the commit of package scap-workbench for openSUSE:Factory checked in at 2018-07-31 16:04:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/scap-workbench (Old) and /work/SRC/openSUSE:Factory/.scap-workbench.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "scap-workbench" Tue Jul 31 16:04:19 2018 rev:10 rq:626684 version:1.1.5 Changes: -------- --- /work/SRC/openSUSE:Factory/scap-workbench/scap-workbench.changes 2018-01-03 13:39:32.371231584 +0100 +++ /work/SRC/openSUSE:Factory/.scap-workbench.new/scap-workbench.changes 2018-07-31 16:04:29.540066170 +0200 @@ -1,0 +2,6 @@ +Thu Jul 26 09:11:29 UTC 2018 - matthias.gerstner@suse.com + +- 0001-pkexec-avoid-potential-local-root-exploit-by-using-P.patch: + harden and sanitize the pkexec wrapper (bsc#1084706). + +------------------------------------------------------------------- New: ---- 0001-pkexec-avoid-potential-local-root-exploit-by-using-P.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ scap-workbench.spec ++++++ --- /var/tmp/diff_new_pack.1hVxZt/_old 2018-07-31 16:04:30.276067425 +0200 +++ /var/tmp/diff_new_pack.1hVxZt/_new 2018-07-31 16:04:30.276067425 +0200 @@ -1,7 +1,7 @@ # # spec file for package scap-workbench # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,10 +20,11 @@ Version: 1.1.5 Release: 0 Summary: A SCAP scanner and SCAP content editor -License: GPL-3.0 +License: GPL-3.0-only Group: Productivity/Security Url: https://github.com/OpenSCAP/scap-workbench Source: https://github.com/OpenSCAP/scap-workbench/releases/download/%version/scap-w... +Patch0: 0001-pkexec-avoid-potential-local-root-exploit-by-using-P.patch BuildRequires: cmake >= 2.6 BuildRequires: openscap-devel # SLE 11 SP3: libopenscap needs libxslt without requiring it @@ -57,6 +58,7 @@ %prep %setup -q +%patch0 -p1 %build %if 0%{?cmake} ++++++ 0001-pkexec-avoid-potential-local-root-exploit-by-using-P.patch ++++++
From 2dff0925c5435d3bdb35186c015a89613ce4e3ad Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerstner@suse.de> Date: Thu, 19 Jul 2018 12:27:46 +0200 Subject: [PATCH] pkexec: avoid potential local root exploit by using PKEXEC_UID and sudo
If an admin relaxes the required polkit authentication for running scap-workbench-oscap.sh from auth_admin to auth_self or yes, then the current implementation of the wrapper script allows for a local root exploit. A command line like this would overwrite /etc/shadow with a file owned by the non-privileged user: pkexec --disable-internal-agent /usr/lib64/scap-workbench/scap-workbench-oscap.sh 1000 100 \ xccdf eval --profile Default --oval-results --results /etc/shadow \ --results-arf /tmp/scap.results.arf --report /tmp/scap.report \ --progress /usr/share/openscap/scap-yast2sec-xccdf.xml The copying of the target files needs to be done in the context of the unprivileged user to prevent any symlink attacks or maliciously specified paths. This is done by using sudo as a frontend to cp. Also the user should not pass his own uid and gid. This would allow to change ownership of files to arbitrary other users. Instead pkexec offers the PKEXEC_UID environment variable which contains the uid of the authenticated user. The gid can be derived from the uid. --- scap-workbench-oscap.sh | 32 ++++++++++++++++++++++++-------- scap-workbench-pkexec-oscap.sh | 7 ++----- 2 files changed, 26 insertions(+), 13 deletions(-) diff --git a/scap-workbench-oscap.sh b/scap-workbench-oscap.sh index 216376f..6f720de 100755 --- a/scap-workbench-oscap.sh +++ b/scap-workbench-oscap.sh @@ -25,14 +25,15 @@ trap "" SIGHUP SIGINT # valuable gets skipped echo "Dummy text" 1>&2 -wrapper_uid=$1 -shift -wrapper_gid=$1 -shift +# prevent world-readable files being created +umask 0007 real_uid=`id -u` real_gid=`id -g` +wrapper_uid=${PKEXEC_UID:-${real_uid}} +wrapper_gid=$(id -g ${wrapper_uid}) + TEMP_DIR=`mktemp -d` args=("$@") @@ -84,19 +85,34 @@ RET=$? popd > /dev/null +# only copy files with the target user's permissions via sudo if we're running +# privileged, otherwise he can trick us into overwriting arbitrary files +do_chown=false +if [ $wrapper_uid -ne $real_uid ] || [ $wrapper_gid -ne $real_gid ]; then + do_chown=true +fi + function chown_copy { local what="$1" local where="$2" - [ ! -f "$what" ] || cp "$what" "$where" + [ -f "$what" ] || return - # chown only required if wrapper_{uid,gid} differs from real_{uid,gid} - if [ $wrapper_uid -ne $real_uid ] || [ $wrapper_gid -ne $real_gid ]; then - chown $wrapper_uid:$wrapper_gid $where + if $do_chown; then + chown $wrapper_uid:$wrapper_gid "$what" + sudo -u "#${wrapper_uid}" cp "$what" "$where" + else + cp "$what" "$where" fi } +if $do_chown; then + # don't grant the user ownership of or write access to the directory, + # otherwise he could trick us by replacing the files with symlinks + chmod o+rx "${TEMP_DIR}" +fi + chown_copy "$TEMP_DIR/results-xccdf.xml" "$TARGET_RESULTS_XCCDF" chown_copy "$TEMP_DIR/results-arf.xml" "$TARGET_RESULTS_ARF" chown_copy "$TEMP_DIR/report.html" "$TARGET_REPORT" diff --git a/scap-workbench-pkexec-oscap.sh b/scap-workbench-pkexec-oscap.sh index 1ae8329..a8d9b2b 100755 --- a/scap-workbench-pkexec-oscap.sh +++ b/scap-workbench-pkexec-oscap.sh @@ -18,9 +18,6 @@ set -u -o pipefail -uid=`id -u` -gid=`id -g` - PARENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" PKEXEC_PATH="pkexec" @@ -29,7 +26,7 @@ SCAP_WORKBENCH_OSCAP="$PARENT_DIR/scap-workbench-oscap.sh" # We run unprivileged if pkexec was not found. #which $PKEXEC_PATH > /dev/null || exit 1 # fail if pkexec was not found -$PKEXEC_PATH --disable-internal-agent "$SCAP_WORKBENCH_OSCAP" $uid $gid "$@" 2> >(tail -n +2 1>&2) +$PKEXEC_PATH --disable-internal-agent "$SCAP_WORKBENCH_OSCAP" "$@" 2> >(tail -n +2 1>&2) EC=$? # 126 is a special exit code of pkexec when user dismisses the auth dialog @@ -38,7 +35,7 @@ EC=$? # This is common in niche desktop environments. if [ $EC -eq 126 ] || [ $EC -eq 127 ]; then # in case of dismissed dialog we run without super user rights - "$SCAP_WORKBENCH_OSCAP" $uid $gid "$@" 2> >(tail -n +2 1>&2); + "$SCAP_WORKBENCH_OSCAP" "$@" 2> >(tail -n +2 1>&2); exit $? fi -- 2.16.4