Ubuntu
accountsservice package

~/.pam_environment gets created as owned by root

Bug #1974250 reported by Gunnar Hjalmarsson
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
accountsservice (Ubuntu)
Fix Released
High
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
High
Unassigned

Bug Description

Something has happened lately with accountsservice, which makes it act as root instead of the current user when creating ~/.pam_environment. The very old bug #904395 comes to mind, and this smells a security issue.

The function which is supposed to prevent this behavior is here:

https://salsa.debian.org/freedesktop-team/accountsservice/-/blob/ubuntu/debian/patches/0010-set-language.patch#L75

Haven't investigated further yet.

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I can confirm this is happening on jammy, but not on impish.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks like this change got reverted:

accountsservice (0.6.55-0ubuntu13.2) groovy-security; urgency=medium

  * SECURITY UPDATE: accountsservice drop privileges SIGSTOP DoS
    (LP: #1900255)
    - debian/patches/0010-set-language.patch: updated to not drop real uid
      and real gid in user_drop_privileges_to_user.
    - debian/patches/0009-language-tools.patch: updated to not reset
      effective uid.
    - CVE-2020-16126

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

It was dropped in this merge:

https://launchpad.net/ubuntu/+source/accountsservice/0.6.55-3ubuntu1

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Please use CVE-2022-1804 for this. Thanks.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I am preparing an update for this issue. Would you like to get credited in the USN?

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

Thanks for dealing with it, Marc!

Hmm.. We haven't had a VCS for Ubuntu previously, but now we have. Suppose that will reduce the risk for this kind of accident going forward.

Credit not important to me.

Revision history for this message
Sebastien Bacher (seb128) wrote :

Marc, do you want desktop to handle the kinetic fix?

Revision history for this message
Sebastien Bacher (seb128) wrote :

Also I wonder if we could write some test to add to the package to ensure we don't regress that one again in the futur

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

I'm thinking of the usability aspect of this. Once the -p argument has been added to the shell scripts, we'll have a lot of users whose UI for changing language/locale appears to be broken. Is there a possibility to chown() those root owned ~/.pam_environment files in a maintainer script?

Revision history for this message
Sebastien Bacher (seb128) wrote :

> Is there a possibility to chown() those root owned ~/.pam_environment files in a maintainer script?

no, we can't really change user files from the package since the user directories could be encrypted or remote nfs ones not mounted at that time

Revision history for this message
Sebastien Bacher (seb128) wrote :

The file can be deleted by the user so we could have a session-migration script or something in accountsservice that read the config, rm it and write it again with the user rights

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

The latter sounds promising. :)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Here's the debdiff I plan on using. Can someone validate if the code I added to fix the root permissions looks ok?

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

@Marc: Yes, it looks fine AFAICT. I also applied the debdiff and could verify both that it runs as the user and fixes a root owned file elegantly.

Thanks!

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

> +Updated: 2022-05-19
> +
> +#
> +# Do not drop shebang changes in this file when merging from Debian!
> +#

0009-language-tools.patch is used also on Debian, not sure why. Maybe somebody thought that one or more of those scripts may be 'good to have'.

But would it be possible to add the -p argument in Debian too in order to reduce the risk for us?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Or remove those scripts from Debian completely...looks like they were added because of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756259 , but muon doesn't seem to use them anymore...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Marc, I like the 'fix the permissions' snippet, that looks good to me. (It feels weird that it's probing the filesystem while generating the name to use, before creating the file with the full name, but I don't actually see any problems with it.)

Thanks

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package accountsservice - 22.07.5-2ubuntu1.3

---------------
accountsservice (22.07.5-2ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: accountsservice incorrect privilege dropping
    (LP: #1974250)
    - debian/patches/0009-language-tools.patch: updated to not reset
      effective uid, and migrate root-owned .pam_environment file.
    - This change was originally known as CVE-2020-16126 and got reverted
      by mistake in 0.6.55-3ubuntu1.
    - CVE-2022-1804
  * Fix FTBFS with a newer python-dbusmock package:
    - debian/patches/adduser_invocation.patch: fix invocation of AddUser in
      tests/dbusmock/accounts_service.py.
    - debian/patches/setlocked_signature.patch: fix the signature for the
      SetLocked call in tests/dbusmock/accounts_service.py.

 -- Marc Deslauriers <email address hidden> Thu, 19 May 2022 20:02:04 -0400

Changed in accountsservice (Ubuntu):
status: New → Fix Released
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Changed in accountsservice (Ubuntu Jammy):
status: New → Fix Released
Changed in accountsservice (Ubuntu Kinetic):
status: Fix Released → Confirmed
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Gunnar Hjalmarsson (gunnarhj)
Changed in accountsservice (Ubuntu Kinetic):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package accountsservice - 22.07.5-2ubuntu2

---------------
accountsservice (22.07.5-2ubuntu2) kinetic; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: accountsservice incorrect privilege dropping
    (LP: #1974250)
    - debian/patches/0009-language-tools.patch: updated to not reset
      effective uid, and migrate root-owned .pam_environment file.
    - This change was originally known as CVE-2020-16126 and got reverted
      by mistake in 0.6.55-3ubuntu1.
    - CVE-2022-1804
  * Fix FTBFS with a newer python-dbusmock package:
    - debian/patches/adduser_invocation.patch: fix invocation of AddUser in
      tests/dbusmock/accounts_service.py.
    - debian/patches/setlocked_signature.patch: fix the signature for the
      SetLocked call in tests/dbusmock/accounts_service.py.

 -- Gunnar Hjalmarsson <email address hidden> Tue, 24 May 2022 19:53:07 +0200

Changed in accountsservice (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

On 2022-05-20 16:54, Marc Deslauriers wrote:
> Or remove those scripts from Debian completely...looks like they
> were added because of https://bugs.debian.org/cgi-
> bin/bugreport.cgi?bug=756259 , but muon doesn't seem to use them
> anymore...

FTR I removed 0009-language-tools.patch from Debian.

https://salsa.debian.org/freedesktop-team/accountsservice/-/commit/294910b8

Let's see if somebody complains.. Hopefully not.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.