cinnamon-settings-users.py: fix symlink attack vulnerability #7683
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This script runs as root and allows to configure e.g. other user's icon files. These icon files are written to the respective user's $HOME/.face location. If an unprivileged user prepares a symlink pointing to an arbitrary location then this location will be overwritten with the icon content. This vulnerability thus allows to corrupt the system or other user's files. The content is not attacker controlled, luckily. This change introduces temporary privilege drops to the target user's privileges before attempting to write the respective .face files. This way the kernel can decide if permissions are okay or not.
|
I reported this privately to @clefebvre by mail and he asked me to publish it right away via a PR. So here it is. I think this is the safest way to fix the issue, so we don't have to worry about race conditions and open flags, letting the kernel do the actual security checks. Even safer would be not even to write that file as root, of course ;-) |
|
This was assigned CVE-2018-13054. |
dilinger
added a commit
to dilinger/cinnamon
that referenced
this pull request
Apr 15, 2019
A security hole was fixed in linuxmint#7683, where a user's .face file being modified with root privileges allowed a symlink attack to overwrite root-owned data. Unfortunately, this fix is incomplete - simply dropping privileges means that users who previously had an older .face file would be unable to overwrite it. The old code left .face owned by root. This fix first removes the old .face file as root, then drops privileges and writes the new .face file.
clefebvre
pushed a commit
that referenced
this pull request
Jun 7, 2019
* cinnamon-settings-users.py: update symlink vulnerability fix A security hole was fixed in #7683, where a user's .face file being modified with root privileges allowed a symlink attack to overwrite root-owned data. Unfortunately, this fix is incomplete - simply dropping privileges means that users who previously had an older .face file would be unable to overwrite it. The old code left .face owned by root. This fix first removes the old .face file as root, then drops privileges and writes the new .face file. * cinnamon-settings-users.py: fix coding quality issue Don't ignore all exceptions when trying to remove a file; just OSError exceptions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This script runs as root and allows to configure e.g. other user's icon
files. These icon files are written to the respective user's $HOME/.face
location. If an unprivileged user prepares a symlink pointing to an
arbitrary location then this location will be overwritten with the icon
content. This vulnerability thus allows to corrupt the system or other
user's files. The content is not attacker controlled, luckily.
This change introduces temporary privilege drops to the target user's
privileges before attempting to write the respective .face files. This
way the kernel can decide if permissions are okay or not.