Default use of 'less' is a security concern #5666
Comments
|
That sudoers rule is begging for trouble (and |
|
Sorry, but this appears to be a limitation of your sudoers rule, but not systemctl. The auto-paging behaviour of systemctl is well-known, and can be disabled easily, including in a per-invocation mode the way you describe. Sorry, but I don't think there's anything to fix here in systemd: the general should be to be very careful when writing sudo rules (or even better simply not use it at all). I hope this makes sense, closing. |
|
What you are saying makes sense, but I disagree with it. Your choice. I'll only expand on what I said by saying this. Misconfiguration is a very common root cause of security vulnerabilities in live systems. For example, it is in the OWASP Top 10 (A5). It seems like a poor design choice to invoke a pager in a utility that will be frequently run as root, and may need access marshaled to it using tools like sudo. In fact, if you Google around to see what people are doing, you can see examples of people using sudo in this way to marshal access to systemctl without disabling the pager. I would think that the systemd project would want to prevent these kinds of common misconfigurations. I agree that 'systemctl status' is not the best example, given that is works pretty much fully intact as root. That said, I've seen cases where status output varies a bit depending on level of access. In my own experience, I run systemctl status dhcpd.service as root, because doing it this way gives me a short tail of the dhcp log. Doing it as a user does not. There's enough lines there to invoke a pager, and now we have a potential path to root. I also will concede that in this case, the best practice is to lock down the environment better. This can be done in sudoers. It is not difficult to create an environment for systemctl that will not invoke a pager. I just think its something that a lot of people are going to miss, and it seems like default behavior that is just asking for trouble. |
|
This is literally why policykit was invented. Allowing untrusted users to run interactive applications as root is just begging for trouble. If you, for example, need to allow a user start/stop a specific service, you can add a policykit rule to allow then to do so without allowing anyone to run
Add yourself to the
You can also set the |
|
As the original submitter of the bug on Red Hat's bugzilla, I have seen these sudo "misconfigurations" too much. You can't ask for people to know exactly what other processes are invoked when you use a tool like systemctl. The user that installed the sudo rule could have tried it on a 20" monitor and never saw that a pager was activated, so it has no idea a pager needs to be disabled, then goes and writes a tool for less privileged IT staff that use systemctl status, and then some of those notice the pager is active because they are using a small monitor / window and take advantage of the less feature to invoke programs. IMHO LESSSECURE should be added to all less invocations by systemd, and by the way, never use more as a fallback because it doesn't have a way to disable program invocation |
policykit is an overkill for a sysadmin that just want to give their IT staff a tool to check if a system is running or not via sudo. |
That makes sense I guess. Can you file an RFE about exactly this? |
You don't need privs to check that... You only need privs if you actually want to change state of something, introspection of the objects systemd manages is unrestricted. |
Or even better file a PR that adds that? |
Cloning right now, it will probably take more time for me to learn the testing infrastructure. |
Some extra safety when invoked via "sudo". With this we address a genuine design flaw of sudo, and we shouldn't need to deal with this. But it's still a good idea to disable this surface given how exotic it is. Prompted by systemd#5666
keszybz
changed the title
|
I think the automagic pager invocation is just a misfeature plain and simple. The tools should just print to stdout, and a caller may redirect stdout into a pager if they wanted one. If it weren't launching the pager from the privileged context during this magic, we wouldn't be having this discussion. There's zero security problem when the user pipes stdout of sudo into a pager. |
|
Those extreme systems with weird NSS LDAP NFS etc. stuff where anything of the above needs could be expected from puny |
Some extra safety when invoked via "sudo". With this we address a genuine design flaw of sudo, and we shouldn't need to deal with this. But it's still a good idea to disable this surface given how exotic it is. Prompted by systemd#5666
Some extra safety when invoked via "sudo". With this we address a genuine design flaw of sudo, and we shouldn't need to deal with this. But it's still a good idea to disable this surface given how exotic it is. Prompted by systemd#5666
Some extra safety when invoked via "sudo". With this we address a genuine design flaw of sudo, and we shouldn't need to deal with this. But it's still a good idea to disable this surface given how exotic it is. Prompted by systemd#5666
Some extra safety when invoked via "sudo". With this we address a genuine design flaw of sudo, and we shouldn't need to deal with this. But it's still a good idea to disable this surface given how exotic it is. Prompted by systemd#5666
Some extra safety when invoked via "sudo". With this we address a genuine design flaw of sudo, and we shouldn't need to deal with this. But it's still a good idea to disable this surface given how exotic it is. Prompted by systemd#5666
The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about less now), and we automatically enable secure mode under sudo, but not otherwise. This approach is more nuanced, but should provide a better experience for users: - Previusly we would set LESSSECURE=1 and trust the pager to make use of it. But this has an effect only on less. We need to not start pagers which are insecure when in secure mode. In particular more is like that and is a very popular pager. - We don't enable secure mode always, which means that those other pagers can reasonably used. - We do the right thing by default, but the user has ultimate control by setting SYSTEMD_PAGERSECURE. Fixes systemd#5666.
…ested The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about less now), and we automatically enable secure mode under sudo, but not otherwise. This approach is more nuanced, but should provide a better experience for users: - Previusly we would set LESSSECURE=1 and trust the pager to make use of it. But this has an effect only on less. We need to not start pagers which are insecure when in secure mode. In particular more is like that and is a very popular pager. - We don't enable secure mode always, which means that those other pagers can reasonably used. - We do the right thing by default, but the user has ultimate control by setting SYSTEMD_PAGERSECURE. Fixes systemd#5666. v2: - also check $PKEXEC_UID
…uested The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about less now), and we automatically enable secure mode in certain cases, but not otherwise. This approach is more nuanced, but should provide a better experience for users: - Previusly we would set LESSSECURE=1 and trust the pager to make use of it. But this has an effect only on less. We need to not start pagers which are insecure when in secure mode. In particular more is like that and is a very popular pager. - We don't enable secure mode always, which means that those other pagers can reasonably used. - We do the right thing by default, but the user has ultimate control by setting SYSTEMD_PAGERSECURE. Fixes systemd#5666. v2: - also check $PKEXEC_UID v3: - use 'sd_pid_get_owner_uid() != geteuid()' as the condition
…uested The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about less now), and we automatically enable secure mode in certain cases, but not otherwise. This approach is more nuanced, but should provide a better experience for users: - Previusly we would set LESSSECURE=1 and trust the pager to make use of it. But this has an effect only on less. We need to not start pagers which are insecure when in secure mode. In particular more is like that and is a very popular pager. - We don't enable secure mode always, which means that those other pagers can reasonably used. - We do the right thing by default, but the user has ultimate control by setting SYSTEMD_PAGERSECURE. Fixes systemd#5666. v2: - also check $PKEXEC_UID v3: - use 'sd_pid_get_owner_uid() != geteuid()' as the condition
…uested The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about less now), and we automatically enable secure mode in certain cases, but not otherwise. This approach is more nuanced, but should provide a better experience for users: - Previusly we would set LESSSECURE=1 and trust the pager to make use of it. But this has an effect only on less. We need to not start pagers which are insecure when in secure mode. In particular more is like that and is a very popular pager. - We don't enable secure mode always, which means that those other pagers can reasonably used. - We do the right thing by default, but the user has ultimate control by setting SYSTEMD_PAGERSECURE. Fixes systemd#5666. v2: - also check $PKEXEC_UID v3: - use 'sd_pid_get_owner_uid() != geteuid()' as the condition
Some extra safety when invoked via "sudo". With this we address a genuine design flaw of sudo, and we shouldn't need to deal with this. But it's still a good idea to disable this surface given how exotic it is. Prompted by systemd#5666
…uested The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about less now), and we automatically enable secure mode in certain cases, but not otherwise. This approach is more nuanced, but should provide a better experience for users: - Previusly we would set LESSSECURE=1 and trust the pager to make use of it. But this has an effect only on less. We need to not start pagers which are insecure when in secure mode. In particular more is like that and is a very popular pager. - We don't enable secure mode always, which means that those other pagers can reasonably used. - We do the right thing by default, but the user has ultimate control by setting SYSTEMD_PAGERSECURE. Fixes systemd#5666. v2: - also check $PKEXEC_UID v3: - use 'sd_pid_get_owner_uid() != geteuid()' as the condition
Some extra safety when invoked via "sudo". With this we address a genuine design flaw of sudo, and we shouldn't need to deal with this. But it's still a good idea to disable this surface given how exotic it is. Prompted by systemd#5666 (cherry picked from commit 612ebf6)
…uested The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about less now), and we automatically enable secure mode in certain cases, but not otherwise. This approach is more nuanced, but should provide a better experience for users: - Previusly we would set LESSSECURE=1 and trust the pager to make use of it. But this has an effect only on less. We need to not start pagers which are insecure when in secure mode. In particular more is like that and is a very popular pager. - We don't enable secure mode always, which means that those other pagers can reasonably used. - We do the right thing by default, but the user has ultimate control by setting SYSTEMD_PAGERSECURE. Fixes systemd#5666. v2: - also check $PKEXEC_UID v3: - use 'sd_pid_get_owner_uid() != geteuid()' as the condition (cherry picked from commit 0a42426)
|
Cve.mitre assigned vulnerability as CVE-2023-26604. Security mechanisms referred to above appeared in systemd 247. While ubuntu 20 and rhel 8.x use systemd 245. |
Submission type
NOTE: Do not submit anything other than bug reports or RFEs via the issue tracker!
systemd version the issue has been seen with
NOTE: Do not submit bug reports about anything but the two most recently released systemd versions upstream!
Used distribution
In case of bug report: Expected behaviour you didn't see
In case of bug report: Unexpected behaviour you saw
In case of bug report: Steps to reproduce the problem
I realize that this can be addressed by adding the --no-pager option and creating aliases, but is sure seems like invoking a pager that lets you drop shell on a utility run as root is just begging for trouble.
The text was updated successfully, but these errors were encountered: