/etc/init.d/selinux possible privilege escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
selinux (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge | ||
Hardy |
Fix Released
|
Low
|
Jamie Strandboge | ||
Lucid |
Fix Released
|
Low
|
Jamie Strandboge | ||
Maverick |
Fix Released
|
Low
|
Jamie Strandboge | ||
Natty |
Fix Released
|
Low
|
Jamie Strandboge | ||
Oneiric |
Fix Released
|
Low
|
Jamie Strandboge | ||
Precise |
Fix Released
|
Low
|
Jamie Strandboge |
Bug Description
Dear All,
I think there might be a problem with the startup script /etc/init.d/selinux that allows an unprivileged user to create a file in any directory. I am copying a message I sent to Jamie Strandboge -
In my Ubuntu 11.10 (Oneiric), the script /etc/init.d/selinux contains:
statusfile=
...
lockfile=
...
# Start only creates the lock
start() {
if [ -e $statusfile ]; then
else
fi
}
As /var/lock is world writable, a user could presumably create a file in any location by making this a symlink. Admittedly, /var/lock does not persist across reboots (tmpfs), and once selinux-relabel has been created by root it cannot be changed, but if the administrator for example restarts the daemon, in this gap, the user could create the file. I confirmed this to be the case on my machine. Or, if selinux is installed for the first time, then too shall a link be followed if it is pre-created.
Please let me know if further details are required.
Thanks,
Hayawardh Vijayakumar.
Details:
# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
# apt-cache policy selinux
Installed: 1:0.9
Candidate: 1:0.9
Version table:
*** 1:0.9 0
500 http://
100 /var/lib/
To exploit:
When SELinux is not installed or the autorelabel daemon is stopped through e.g., /etc/init.d/selinux stop
unpriv-user$ ln -s /etc/file_to_create /var/lock/
When /etc/init.d/selinux start happens,
# ls -l /etc/file_to_create
-rw-r--r--. 1 root root 0 2011-10-17 20:29 /etc/file_to_create
EDIT: This was run under a kernel.org kernel that did not have yama installed. As Marc notes, under default yama configuration, this attack shall be blocked by the system due to yama (Maverick upwards).
description: | updated |
Thank you for using Ubuntu and creating a bug. In analyzing your report it is clear that this can be used to create files like /etc/nologin, /forcefsck and others. The initscript should instead be using 'touch --no-dereference' instead. Due to the nature of when the init script runs I am giving this a preliminary priority of 'Low'.