Devuan logs - #268, boring messages


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


Subject: bug#268: policykit-1: CVE-2018-19788
From: Berbe <bernard+devuan@rosset.net>
To: Devuan Bug Tracking System <submit@bugs.devuan.org>
Date: Fri, 07 Dec 2018 18:41:08 +0100

Package: policykit-1
Version: 0.105-18+devuan2.11
Severity: critical

Dear Maintainer,

Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands:

1. service nginx status
-bash: service: command not found
2. sudo useradd -u 4000000000 test
3. sudo -u test service nginx status
nginx is running.


-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 9 (n/a)
Release:	9
Codename:	n/a

Architecture: x86_64

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages policykit-1 depends on:
ii  dbus                   1.10.26-0+deb9u1
ii  libc6                  2.24-11+deb9u3
ii  libglib2.0-0           2.50.3-2
ii  libpam0g               1.1.8-3.6
ii  libpolkit-agent-1-0    0.105-18+devuan2.11
ii  libpolkit-backend-1-0  0.105-18+devuan2.11
ii  libpolkit-gobject-1-0  0.105-18+devuan2.11

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


Subject: bug#268: mmhhh
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


Subject: bug#268: mmhhh
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


Subject: bug#268: mmhhh
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


Subject: bug#268: mmhhh
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


Subject: bug#268: mmhhh
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


Subject: bug#268: mmhhh
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent:


From: owner@bugs.devuan.org (Devuan bug Tracking System)
To: KatolaZ <katolaz@freaknet.org>
Subject: bug#268: Info received (was mmhhh)

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 owner@bugs.devuan.org

If you wish to continue to submit further information on your problem,
please send it to 268@bugs.devuan.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Devuan Bugs Owner
(administrator, Devuan bugs database)


Message received at control@bugs.devuan.org:


Received: (at control) by bugs.devuan.org; 8 Dec 2018 09:42:44 +0000
Date: Sat, 8 Dec 2018 10:45:26 +0100
From: KatolaZ <katolaz@freaknet.org>
To: control@bugs.devuan.org
Subject: merge

merge 268 269
quit
done





Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


Subject: bug#268: mmhhh
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent:


From: owner@bugs.devuan.org (Devuan bug Tracking System)
To: KatolaZ <katolaz@freaknet.org>
Subject: bug#268: Info received (was mmhhh)

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 owner@bugs.devuan.org

If you wish to continue to submit further information on your problem,
please send it to 268@bugs.devuan.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Devuan Bugs Owner
(administrator, Devuan bugs database)


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Wed, 20 Feb 2019 07:39:01 UTC