(RHEL-18791) CVE-2023-26604 systemd: privilege escalation via the less pager #424
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some extra safety when invoked via "sudo". With this we address a genuine design flaw of sudo, and we shouldn't need to deal with this. But it's still a good idea to disable this surface given how exotic it is. Prompted by #5666 (cherry picked from commit 612ebf6) Related: RHEL-18791
A long time some function only worked when in a session, and the test didn't execute them when sd_pid_get_session() failed. Let's always call them to increase coverage. While at it, let's test for ==0 not >=0 where we don't expect the function to return anything except 0 or error. (cherry picked from commit 1b5b507) Related: RHEL-18791
…uested The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about less now), and we automatically enable secure mode in certain cases, but not otherwise. This approach is more nuanced, but should provide a better experience for users: - Previusly we would set LESSSECURE=1 and trust the pager to make use of it. But this has an effect only on less. We need to not start pagers which are insecure when in secure mode. In particular more is like that and is a very popular pager. - We don't enable secure mode always, which means that those other pagers can reasonably used. - We do the right thing by default, but the user has ultimate control by setting SYSTEMD_PAGERSECURE. Fixes #5666. v2: - also check $PKEXEC_UID v3: - use 'sd_pid_get_owner_uid() != geteuid()' as the condition (cherry picked from commit 0a42426) Resolves: RHEL-18791
Ubuntu builds on the Launchpad infrastructure run inside a chroot that does not have the sysfs cgroup dirs mounted, so this call will return ENOMEDIUM from cg_unified_cached() during the build-time testing, for example when building the package in a Launchpad PPA. (cherry picked from commit 352ab9d) Related: RHEL-18791
github-actions
bot
added
rhel-8.6.0
pr/needs-ci
Commit validationTracker - RHEL-18791 The following commits meet all requirements
Tracker validationSuccess🟢 Tracker RHEL-18791 has set desired product: Pull Request validationSuccess🟢 CI - All checks have passed Auto MergeFailed🔴 Pull Request has unsupported target branch Success🟢 Pull Request is not marked as draft and it's not blocked by |
github-actions
bot
added
pr/needs-manual-merge
and removed
pr/needs-ci
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves: RHEL-18791