Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

install: create autoinstall-user-data 0400 #1820

Merged
merged 1 commit into from
Oct 5, 2023
Merged

install: create autoinstall-user-data 0400 #1820

merged 1 commit into from
Oct 5, 2023

Conversation

dbungert
Copy link
Collaborator

@dbungert dbungert commented Oct 5, 2023

CVE-2023-5182

As autoinstall-user-data contains a password hash hash for a user with sudo access, create the autoinstall-user-data as 0400 root:root.

The old permissions are 0640 root:adm, and the adm group does not by default have sudo access, so cracking that hash could lead to privilege escallation for someone in the adm group.

Thanks to Patric Åhlin and Johan Hortling for identifying and reporting the issue.

@dbungert
install: create autoinstall-user-data 0400
62e1268 
CVE-2023-5182

As autoinstall-user-data contains a password hash hash for a user with
sudo access, create the autoinstall-user-data as 0400 root:root.

The old permissions are 0640 root:adm, and the adm group does not by
default have sudo access, so cracking that hash could lead to privilege
escallation for someone in the adm group.

Thanks to Patric Åhlin and Johan Hortling for identifying and reporting
the issue.
@dbungert
Copy link
Collaborator Author

dbungert commented Oct 5, 2023

Target system logs now look like:

ubuntu@ubuntu:/var/log/installer$ ls -al
total 896
drwxr-x--- 4 root adm    4096 Oct  5 00:07 .
drwxr-xr-x 8 root root   4096 Oct  5 00:07 ..
-r-------- 1 root root   3038 Oct  5 00:07 autoinstall-user-data
drwxr-xr-x 2 root root   4096 Oct  5 00:05 block
-rw-r--r-- 1 root root     75 Oct  5 00:06 casper-md5check.json
-rw-r----- 1 root adm    5406 Oct  5 00:05 cloud-init-output.log
-rw-r----- 1 root adm   62300 Oct  5 00:05 cloud-init.log
drwxr-xr-x 2 root root   4096 Oct  5 00:06 curtin-install
-rw-r--r-- 1 root root 115677 Oct  5 00:07 curtin-install.log
-rw-r--r-- 1 root root    155 Oct  5 00:06 device-map.json
-rw-r----- 1 root adm  545519 Oct  5 00:07 installer-journal.txt
-rw-r--r-- 1 root root     62 Oct  5 00:06 media-info
lrwxrwxrwx 1 root root     31 Oct  5 00:05 subiquity-client-debug.log -> subiquity-client-debug.log.1620
-rw-r----- 1 root adm    2363 Oct  5 00:05 subiquity-client-debug.log.1620
lrwxrwxrwx 1 root root     30 Oct  5 00:05 subiquity-client-info.log -> subiquity-client-info.log.1620
-rw-r----- 1 root adm     207 Oct  5 00:05 subiquity-client-info.log.1620
-rw-r----- 1 root adm     472 Oct  5 00:05 subiquity-curtin-apt.conf
lrwxrwxrwx 1 root root     31 Oct  5 00:05 subiquity-server-debug.log -> subiquity-server-debug.log.1636
-rw-r----- 1 root adm  118860 Oct  5 00:07 subiquity-server-debug.log.1636
lrwxrwxrwx 1 root root     30 Oct  5 00:05 subiquity-server-info.log -> subiquity-server-info.log.1636
-rw-r----- 1 root adm    4520 Oct  5 00:07 subiquity-server-info.log.1636

@dbungert dbungert requested a review from mwhudson October 5, 2023 01:38
@dbungert dbungert merged commit 2970912 into canonical:main Oct 5, 2023
11 checks passed
@dbungert dbungert deleted the CVE-2023-5182 branch October 5, 2023 02:45
@dbungert dbungert mentioned this pull request Oct 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mwhudson mwhudson mwhudson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dbungert @mwhudson