Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(RHEL-18791) CVE-2023-26604 systemd: privilege escalation via the less pager #424

Merged
merged 4 commits into from
Jan 18, 2024
Merged

(RHEL-18791) CVE-2023-26604 systemd: privilege escalation via the less pager #424

merged 4 commits into from
Jan 18, 2024

Conversation

brozs
Copy link
Collaborator

@brozs brozs commented Jan 18, 2024
edited by github-actions bot
Loading

Resolves: RHEL-18791

poettering and others added 4 commits January 18, 2024 10:49
@poettering @brozs
pager: set $LESSSECURE whenver we invoke a pager
698aba1 
Some extra safety when invoked via "sudo". With this we address a
genuine design flaw of sudo, and we shouldn't need to deal with this.
But it's still a good idea to disable this surface given how exotic it
is.

Prompted by #5666

(cherry picked from commit 612ebf6)

Related: RHEL-18791
@keszybz @brozs
test-login: always test sd_pid_get_owner_uid(), modernize
ef850b2 
A long time some function only worked when in a session, and the test
didn't execute them when sd_pid_get_session() failed. Let's always call
them to increase coverage.

While at it, let's test for ==0 not >=0 where we don't expect the function
to return anything except 0 or error.

(cherry picked from commit 1b5b507)

Related: RHEL-18791
@keszybz @brozs
pager: make pager secure when under euid is changed or explicitly req…
195b2e2 
…uested

The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
less now), and we automatically enable secure mode in certain cases, but not
otherwise.

This approach is more nuanced, but should provide a better experience for
users:

- Previusly we would set LESSSECURE=1 and trust the pager to make use of
  it. But this has an effect only on less. We need to not start pagers which
  are insecure when in secure mode. In particular more is like that and is a
  very popular pager.

- We don't enable secure mode always, which means that those other pagers can
  reasonably used.

- We do the right thing by default, but the user has ultimate control by
  setting SYSTEMD_PAGERSECURE.

Fixes #5666.

v2:
- also check $PKEXEC_UID

v3:
- use 'sd_pid_get_owner_uid() != geteuid()' as the condition

(cherry picked from commit 0a42426)

Resolves: RHEL-18791
@brozs
test: ignore ENOMEDIUM error from sd_pid_get_cgroup()
914ba52 
Ubuntu builds on the Launchpad infrastructure run inside a chroot that does
not have the sysfs cgroup dirs mounted, so this call will return ENOMEDIUM
from cg_unified_cached() during the build-time testing, for example when
building the package in a Launchpad PPA.

(cherry picked from commit 352ab9d)

Related: RHEL-18791
@github-actions github-actions bot added rhel-8.6.0 pr/needs-ci Formerly needs-ci pr/needs-review Formerly needs-review labels Jan 18, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 18, 2024
edited
Loading

Commit validation

Tracker - RHEL-18791

The following commits meet all requirements

commit upstream
698aba1 - pager: set $LESSSECURE whenver we invoke a pager systemd/systemd@612ebf6
ef850b2 - test-login: always test sd_pid_get_owner_uid(), modernize systemd/systemd@1b5b507
195b2e2 - pager: make pager secure when under euid is changed or explicitly requ… systemd/systemd@0a42426
914ba52 - test: ignore ENOMEDIUM error from sd_pid_get_cgroup() systemd/systemd@352ab9d

Tracker validation

Success

🟢 Tracker RHEL-18791 has set desired product: rhel-8.6.0.z
🟢 Tracker RHEL-18791 has set desired component: systemd
🟢 Tracker RHEL-18791 has been approved

Pull Request validation

Success

🟢 CI - All checks have passed
🟢 Review - Reviewed by a member
🟢 Approval - Changes were approved

Auto Merge

Failed

🔴 Pull Request has unsupported target branch rhel-8.6.0, expected branches are: 'main,master'

Success

🟢 Pull Request is not marked as draft and it's not blocked by dont-merge label
🟢 Pull Request meet requirements, title has correct form
🟢 Pull Request meet requirements, mergeable is true
🟢 Pull Request meet requirements, mergeable_state is clean

dtardon
dtardon approved these changes Jan 18, 2024
View reviewed changes
Copy link
Member

@dtardon dtardon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions bot added pr/needs-manual-merge and removed pr/needs-ci Formerly needs-ci pr/needs-review Formerly needs-review labels Jan 18, 2024
@jamacku jamacku merged commit 67ed34d into redhat-plumbers:rhel-8.6.0 Jan 18, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dtardon dtardon dtardon approved these changes

@msekletar msekletar Awaiting requested review from msekletar

Assignees
No one assigned
Labels
pr/needs-manual-merge released rhel-8.6.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@brozs @dtardon @jamacku @poettering @keszybz