[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47584: Race condition in ‘copy-account-skeletons’: possible privileg
From: |
Maxime Devos |
Subject: |
bug#47584: Race condition in ‘copy-account-skeletons’: possible privilege escalation. |
Date: |
Tue, 06 Apr 2021 11:56:23 +0200 |
User-agent: |
Evolution 3.34.2 |
On Mon, 2021-04-05 at 21:54 +0200, Ludovic Courtès wrote:
> [...]
>
> OK. It does mean that the bug is hardly exploitable in practice: you
> have to be able to log in at all,
Yes.
> and if you’re able to log in, you have
> to log in precisely within the 1s (or less) that follows account
> creation, which sounds challenging (TCP + SSH connection establishment
> is likely to take as much time or more,
Is logging in possible when the home directory doesn't exist?
It isn't possible from the console. I guess it isn't possible from SSH
either.
If it is possible,
then the window would be somewhat larger I think. Account creation is done
at activation time, while creating home directories is done as a shepherd
service (see account-service-type in gnu/system/shadow.scm).
> likewise for typing in your password.)
An attacker could copy and paste, or have used a single-character password,
to save some time.
> It’s also one-time chance.
Yes.
> Do I get it right?
I think so, except the window might be larger (but still a one-time chance).
> Does it warrant as strong messaging as for the recent daemon
> ‘--keep-failed’ vulnerability?
As it is a one-time chance, with a limited window, and only under specific
circumstances (creating a new user account), I don't think so. But I would
still recommend to upgrade. Does the blog post have ‘too strong messaging’?
Greetings,
Maxime
signature.asc
Description: This is a digitally signed message part
- bug#47584: Race condition in ‘copy-account-skeletons’: possible privilege escalation., (continued)