Univention Bugzilla – Bug 44054
{samba,nfs}-shares listener - take over any server as teacher/staff
Last modified: 2022-04-26 22:28:00 CEST
This issue has been filled against UCS@school 4.1 (R2). The maintenance with bug and security fixes for UCS@school 4.1 (R2) has ended on 5th of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Decided to fix this in the listener for shares!
The protection of paths in NFS-shares is pseudo. Currently /etc seems blocked but isn't: Create a share with a ../ path works fine: path: /foo/bar/bar/../../../etc root_squash: 0 writeable: 1 directorymode: 03777 From any external system do: # cat >> /etc/fstab 10.200.27.5:/foo/bar/bar/../../../etc /tmp/etc nfs rw 0 0 ^D # mount /tmp/etc # cat /tmp/etc/ldap.secret OjSAyH4gsdq5I7XqycQF
We have to restrict /etc (because of /etc/ldap.secret, etc.) and /var (because of /var/lib/samba/private/secrets.ldb and /var/lib/docker). And /dev /proc /root /sys /tmp as the current syntax class prevents.
Also need to consider write permissions: Putting/Replacing files in /bin is also possible: $ smbclient "\\\\$(hostname -f)\binaries" -U 'demo_student%univention' -c 'put sudo' Unable to initialize messaging context putting file sudo as \sudo (34409,3 kb/s) (average 34410,2 kb/s) # ls -l /bin/sudo -rwxrwxr-x+ 1 demo_student root 140944 Mai 4 20:10 /bin/sudo
Another vulnerability: Add a \n plus a new NFS share to an attribute, which is printed to /etc/exports: udm shares/share create --set path=/home/ --set host=$(hostname -f) --set name=s4hwck8pxw python >>> import univention.admin.uldap >>> lo,po=univention.admin.uldap.getAdminConnection() >>> lo.modify("cn=s4hwck8pxw,dc=base", [('univentionShareNFSAllowed', '', '# foo\n"/etc" -rw,root_squash,sync,subtree_check * #')]) tail /etc/exports "/home/" -rw,root_squash,sync,subtree_check # foo "/etc" -rw,root_squash,sync,subtree_check * # # LDAP:cn=s4hwck8pxw,l=school,l=dev
We should not make this a "salami-bug", adding slice after slice, otherwise we will never get it done. Please consider splitting as you see fit.
Another root-code execution exploit: univention.lib.listenerSharePath.checkDirFileSystem("/'; id; echo 'foo", {}) This is fixed via using pipes.quote(). Via the attribute 'univentionShareSambaCustomSetting' it is possible to inject more share section entries. This is still possible, I will create a new bug for this. Same applies for all other attributes which were not quoted during inserting. The quoting is now done. If the share path was blacklisted, the file was created nevertheless. except that the directory was not created and chmod was not performed (aka executing createOrRename()). The block has been moved to the top. I added UCR variables for adding whitelists. The default whitelist is: listener/shares/whitelist/defaults?/home:/opt:/run:/media:/mnt:/srv They seem relatively safe (except /home/ with write permissions but is ofc required). @Arvid: before I merge anything, could you do a code review? git:fbest/44054-fix-share-path-restrictions
Created attachment 10034 [details] qa-feedback.diff
Thanks. Merged the changes with some enhancements. commit f51705c39e484d16af61c74d9f68598398860a29 Merge: 2ed74aefeb 7f6d4854e4 Bug #44054: Merge branch 'fbest/44054-fix-share-path-restrictions' into 4.4-0 I saw a few packages which are creating shares and added whitelist-rules for them: "/usr/share/italc-windows" "/var/lib/opsi/depot" "/var/lib/opsi/ntfs-images" "/var/lib/opsi/depot" "/var/lib/opsi/workbench"
This test 53_samba-common.46share_access_permissions_sambaValidUsers fails on all samba installation in http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/job/AutotestJoin/lastCompletedBuild/testReport/ Please check if this has something to do with this change.
(In reply to Felix Botner from comment #12) > This test > > 53_samba-common.46share_access_permissions_sambaValidUsers > > fails on all samba installation in > > http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/job/ > AutotestJoin/lastCompletedBuild/testReport/ > > Please check if this has something to do with this change. Yes, unfortionately we are storing already quoted values in LDAP.
Fixed here: univention-samba4 (8.0.0-24) de490f429f5f | Bug #44054: do not quote already quoted univentionShareSambaValidUsers univentionShareSambaInvalidUsers univention-samba (13.0.0-5) de490f429f5f | Bug #44054: do not quote already quoted univentionShareSambaValidUsers univentionShareSambaInvalidUsers univention-lib (8.0.0-13) 1bfae9e36958 | Bug #44054: allow to leave out trailing slash
Created attachment 10040 [details] 1.diff The attached patch shows the locations where we should improve log messages and UCR variable documentation to point out that the listener needs to be restarted to make changed whitelist UCR variables take effect.
Patch applied, thanks.
Ok.
<http://errata.software-univention.de/ucs/4.4/125.html> <http://errata.software-univention.de/ucs/4.4/127.html> <http://errata.software-univention.de/ucs/4.4/131.html> <http://errata.software-univention.de/ucs/4.4/132.html>