Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1357859 - guest_t can run sudo
Summary: guest_t can run sudo
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On: 1356245 1357857 1357860
Blocks: 1376826 1378463
TreeView+ depends on / blocked
 
Reported: 2016-07-19 12:21 UTC by Lukas Vrabec
Modified: 2016-11-03 20:20 UTC (History)
15 users (show)

Fixed In Version: openssh-6.6.1p1-29.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1357857
: 1376826 (view as bug list)
Environment:
Last Closed: 2016-11-03 20:20:29 UTC


Attachments (Terms of Use)
proposed patch for openssh (drop suid early, retain SYS_CHROOT, fallback to old behavior) (deleted)
2016-07-20 11:16 UTC, Jakub Jelen
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2588 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2016-11-03 12:09:45 UTC

Comment 2 Jakub Jelen 2016-07-20 11:16:12 UTC
Created attachment 1182040 [details]
proposed patch for openssh (drop suid early, retain SYS_CHROOT, fallback to old behavior)

See the comment #7 in the bug #1356245 for the changes need to the policy.

Comment 7 Jakub Jelen 2016-08-02 06:05:48 UTC
It looks like Lukas didn't actually add the setcap rule, only the setpcap, as it looks from the linked diff. And to the SSH client policy?

> + # SSH client local policy
> ++allow ssh_t self:capability { setpcap setuid setgid dac_override dac_read_search };

Shouldn't it come to the  sshd_t  as explained in the above mentioned comment?

Comment 12 Jakub Jelen 2016-09-14 08:16:30 UTC
Stefan,
this is expected behavior. The issue was that the  guest_u  could run the sudo when the boolean  selinuxuser_use_ssh_chroot  was enabled. Reading the  /etc/shadow  is out of the scope of this bug. It was just an arbitrary operation requiring superuser privileges.

AFAIK, there was no real exploit (Simon, Lukas, correct me if I am wrong), because the context of  guest_u  didn't allow to progress much further from sudo, but mitigating even the ability to start sudo was the intention of this bug (removing setuid, setgid permissions from the confined users and handling the chroot in ssh using linux capabilities).

Comment 13 Stefan Kremen 2016-09-14 09:57:07 UTC
Thanks Jakub for explanation.

Comment 16 errata-xmlrpc 2016-11-03 20:20:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2588.html


Note You need to log in before you can comment on or make changes to this bug.