:: Re: [DNG] systemd allows elevated a…
Top Page
Delete this message
Reply to this message
Author: Olaf Meeuwissen
Date:  
To: dng
Subject: Re: [DNG] systemd allows elevated access from unit files?
Hi,

Evilham writes:

> Hi there,
>
> Am 03/07/2017 um 16:08 schrieb dev:
>> Sounds like a "won't fix", too:
>>
>>   "So, yeah, I don't think there's anything to fix in systemd here."
>>    - Poettering

>>
>> Not sure what's more troubling here[1]; the lack of concern, the
>> digression from POSIX, or the bug/backdoor itself. Maybe all three.
>>
>> useradd 0day works on Devuan. adduser 0day does not. Which is correct?
>
> I had this discussion yesterday, so here are my 2 cents :-).
>
> It is quite inconsistent what a "valid username" is, apparently it has
> gotten better.


Indeed and that's exactly why systemd shouldn't assume it's living in a
Happy World of overly optimistic assumptions.

> According to POSIX, a valid username may include: a-z, A-Z, 0-9, ., -, _
> Where "-" cannot appear at the beginning. There is no further
> restriction on the other chars.
> http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_435


So if systemd were to adhere to POSIX (now I'm being overly optimistic,
probably), systemd should check the user names in unit files for POSIX
conformance and flatly refuse to do anything if they're not.

If systemd were to just take any user name, then it should *still* check
that whatever user name it gets actuall corresponds to an existing user
(and that that user is a system user to boot) before going ahead and
doing anything.

Of course, all this checking negatively affect boot times so systemd
simply assumes all's well ;-P

> So, useradd works because it's lower level, adduser does not, because it
> comes from shadow and they have more restrictions on what a valid name
> is. IMHO that's a bug in shadow.
> https://github.com/shadow-maint/shadow/blob/master/libmisc/chkname.c#L52


On an even lower level, any text editor + shell combination will let you
add accounts with whatever whacky user name you can think of. As far as
/etc/passwd (and /etc/shadow) are concerned, the ':' is just about the
only character you cannot use file format wise. Whether login (or your
display manager) will let you login with that is another matter but for
systemd unit files the capability to login is not required.

# UTF-8 user names anyone? ;-)

> It is not possible, for example to execute: adduser name.lastname, which
> is a valid POSIX username (but useradd name.lastname works fine).
>
> The biggest issue with that systemd bug is that it should refuse to run
> the unit instead of overriding what the sysadmin wrote and running as root.


The security conscious call that privilege escalation. Anyone capable
of putting such a unit file on your system(d) will own your box as soon
as the service runs.

> But hey, that's why we are here on Devuan.


Indeed.
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join