[PATCH 00/20] Prevent "nobody" from escalating privileges by using writeable binaries as a vehicle
This patchset restricts dangerous file permissions, either SUID binaries or executable binaries within /var/ipfire/ owned by "nobody", to their absolute need-to-work basis. Hereby, we make privilege escalation attempts carried out by "nobody" against IPFire-specific files harder, as there is no direct vehicle to write in arbitrary shell code which is then executed later on.
Partially fixes: #12619
Peter Müller (20): GnuPG does not need to have a SUID bit set Core Update 157: remove SUID bit from /usr/bin/gpg /usr/bin/ping does not need a SUID bit if appropriate capabilities are set Core Update 157: Delete ssh-keysign binary DMA: do not ship a binary for creating mail boxes Core Update 157: Delete orphaned DMA mail box creation binary as well Core Update 157: /var/ipfire/fwhosts/icmp-types does not have to be executable Core Update 157: Ship changed iputils due to /usr/bin/ping changes backup: prevent /var/ipfire/backup/bin/backup.pl from being owned by nobody SquidGuard: Prevent binaries within /var/ipfire/urlfilter/bin/ from being owned by nobody Core Update 157: Apply changed permissions to /var/ipfire/urlfilter/bin/ Squid: Prevent binaries within /var/ipfire/updatexlrator/bin/ from being owned by nobody Core Update 157: Apply changed permissions to /var/ipfire/updatexlrator/bin/ OpenVPN: ovpn-leases.db for sure does not have to be executable Core Update 157: Apply changed permissions to /var/ipfire/ovpn/ovpn-leases.db Core Update 157: Remove executable bit less ugly NRPE: Prevent NRPE binary from being owned by "nobody" nagios-plugins: Prevent Nagios plugins from being owned by nobody Squid: cachemgr.cgi does not have to be owned (hence writeable) by nobody Core Update 157: Apply changed permissions to /srv/web/ipfire/cgi-bin/cachemgr.cgi
config/rootfiles/common/dma | 2 +- config/rootfiles/core/157/filelists/iputils | 1 + config/rootfiles/core/157/update.sh | 18 ++++++++++++++++++ lfs/backup | 7 ++++--- lfs/gnupg | 4 ++-- lfs/iputils | 7 +++++-- lfs/nagios-plugins | 8 ++++++-- lfs/nagios_nrpe | 7 +++++-- lfs/openvpn | 4 ++-- lfs/squid | 5 +++-- lfs/squidguard | 3 ++- 11 files changed, 49 insertions(+), 17 deletions(-) create mode 120000 config/rootfiles/core/157/filelists/iputils
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/gnupg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/gnupg b/lfs/gnupg index f94948fe9..624855686 100644 --- a/lfs/gnupg +++ b/lfs/gnupg @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -77,6 +77,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && ./configure --prefix=/usr --libexecdir=/usr/lib --disable-nls cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - chmod -v 4755 /usr/bin/gpg + chmod -v 755 /usr/bin/gpg @rm -rf $(DIR_APP) @$(POSTBUILD)
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index 09b8d8968..322e2ada2 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -103,6 +103,9 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup
+# Fix file permissions changed +chmod -s /usr/bin/gpg + # Start services /etc/init.d/sshd restart /etc/init.d/apache restart
Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/iputils | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/lfs/iputils b/lfs/iputils index b1e2e2216..ae692df7a 100644 --- a/lfs/iputils +++ b/lfs/iputils @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -71,9 +71,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && make ping tracepath - cd $(DIR_APP) && install -m 4755 ping /usr/bin + cd $(DIR_APP) && install -m 0755 ping /usr/bin cd $(DIR_APP) && install -m 0755 tracepath /usr/bin
+ # Allow execution of /usr/bin/ping by other users than "root" + setcap cap_net_raw+ep /usr/bin/ping + # Some scripts expect ping in /bin/ping. ln -svf ../usr/bin/ping /bin/ping
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index 322e2ada2..0f4c76346 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -106,6 +106,9 @@ ldconfig # Fix file permissions changed chmod -s /usr/bin/gpg
+# Delete scrubbed files +rm -f /usr/lib/openssh/ssh-keysign + # Start services /etc/init.d/sshd restart /etc/init.d/apache restart
This is only needed in case of bounces generated by locally emitted messages. We neither store these, nor do we create mail boxes on a firewall. Safe to drop.
Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/common/dma | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/rootfiles/common/dma b/config/rootfiles/common/dma index e98e67415..79cad8ece 100644 --- a/config/rootfiles/common/dma +++ b/config/rootfiles/common/dma @@ -1,5 +1,5 @@ etc/alternatives/sendmail -usr/lib/dma-mbox-create +#usr/lib/dma-mbox-create usr/sbin/dma usr/sbin/dma-cleanup-spool usr/sbin/mailq
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index 0f4c76346..8738a1e46 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -107,7 +107,9 @@ ldconfig chmod -s /usr/bin/gpg
# Delete scrubbed files -rm -f /usr/lib/openssh/ssh-keysign +rm -f \ + /usr/lib/dma-mbox-create \ + /usr/lib/openssh/ssh-keysign
# Start services /etc/init.d/sshd restart
See commit 183ccaa5a5c95f4cb2b639360f3c1465567577e9.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index 8738a1e46..7ed02d690 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -105,6 +105,7 @@ ldconfig
# Fix file permissions changed chmod -s /usr/bin/gpg +chmod -x /var/ipfire/fwhosts/icmp-types
# Delete scrubbed files rm -f \
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/filelists/iputils | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/157/filelists/iputils
diff --git a/config/rootfiles/core/157/filelists/iputils b/config/rootfiles/core/157/filelists/iputils new file mode 120000 index 000000000..361c28f71 --- /dev/null +++ b/config/rootfiles/core/157/filelists/iputils @@ -0,0 +1 @@ +../../../common/iputils \ No newline at end of file
This is dangerous as nobody could write arbitrary contents to this file and execute it afterwards.
Partially fixes: #12619
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/backup | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lfs/backup b/lfs/backup index 791d87adb..9d3e05735 100644 --- a/lfs/backup +++ b/lfs/backup @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -30,7 +30,7 @@ THISAPP = backup-$(VER) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = backup -PAK_VER = 1 +PAK_VER = 2
DEPS =
@@ -56,10 +56,11 @@ dist: $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) -mkdir -p /var/ipfire/backup/bin - install -v -m 755 $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin + install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ chown nobody:nobody -R /var/ipfire/backup/ + chown root:root -R /var/ipfire/backup/bin/ -mkdir -p /var/ipfire/backup/addons -mkdir -p /var/ipfire/backup/addons/includes -mkdir -p /var/ipfire/backup/addons/backup
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/squidguard | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lfs/squidguard b/lfs/squidguard index eb13c41dd..d5eb30377 100644 --- a/lfs/squidguard +++ b/lfs/squidguard @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -113,6 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /usr/bin/perl $(DIR_CONF)/urlfilter/makeconf.pl touch /var/ipfire/urlfilter/settings chown -R nobody:nobody /var/ipfire/urlfilter + chown -R root:root /var/ipfire/urlfilter/bin chmod 755 /srv/web/ipfire/html/images/urlfilter chmod 644 /srv/web/ipfire/html/images/urlfilter/* chown -R nobody:nobody /var/urlrepo
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index 7ed02d690..f46a47572 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -106,6 +106,7 @@ ldconfig # Fix file permissions changed chmod -s /usr/bin/gpg chmod -x /var/ipfire/fwhosts/icmp-types +chown -R root:root /var/ipfire/urlfilter/bin
# Delete scrubbed files rm -f \
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/squid | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lfs/squid b/lfs/squid index 33cb95ba1..18cb30ef7 100644 --- a/lfs/squid +++ b/lfs/squid @@ -171,6 +171,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ln -fs /bin/false /var/ipfire/updatexlrator/autocheck/cron.weekly
chown -R nobody:nobody /var/ipfire/updatexlrator + chown -R root:root /var/ipfire/updatexlrator/bin chown nobody.squid /var/updatecache chown nobody.squid /var/updatecache/download chown nobody.squid /var/updatecache/metadata @@ -186,7 +187,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown nobody.nobody /srv/web/ipfire/html/proxy.pac ln -sf /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/html/wpad.dat
- #Copy stylesheets for the errorpages + # Copy stylesheets for the errorpages cp -f $(DIR_SRC)/config/proxy/errorpage-ipfire.css /var/ipfire/proxy/ cp -f /etc/squid/errorpage.css /var/ipfire/proxy/errorpage-squid.css
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index f46a47572..c2fad638c 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -107,6 +107,7 @@ ldconfig chmod -s /usr/bin/gpg chmod -x /var/ipfire/fwhosts/icmp-types chown -R root:root /var/ipfire/urlfilter/bin +chown -R root:root /var/ipfire/updatexlrator/bin
# Delete scrubbed files rm -f \
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/openvpn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/openvpn b/lfs/openvpn index b026d515b..81ccc52bf 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -89,7 +89,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -mkdir -vp /var/ipfire/ovpn/n2nconf -mkdir -vp /var/ipfire/ovpn/scripts touch /var/ipfire/ovpn/ovpn-leases.db - chmod 700 /var/ipfire/ovpn/ovpn-leases.db + chmod 600 /var/ipfire/ovpn/ovpn-leases.db chown -R root:root /var/ipfire/ovpn/scripts chown -R nobody:nobody /var/ipfire/ovpn chmod 700 /var/ipfire/ovpn/certs
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 1 + 1 file changed, 1 insertion(+)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index c2fad638c..e270ef338 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -108,6 +108,7 @@ chmod -s /usr/bin/gpg chmod -x /var/ipfire/fwhosts/icmp-types chown -R root:root /var/ipfire/urlfilter/bin chown -R root:root /var/ipfire/updatexlrator/bin +chmod 600 /var/ipfire/ovpn/ovpn-leases.db
# Delete scrubbed files rm -f \
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index e270ef338..d71c9688c 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -105,10 +105,12 @@ ldconfig
# Fix file permissions changed chmod -s /usr/bin/gpg -chmod -x /var/ipfire/fwhosts/icmp-types +chmod -x \ + /var/ipfire/fwhosts/icmp-types \ + /var/ipfire/ovpn/ovpn-leases.db + chown -R root:root /var/ipfire/urlfilter/bin chown -R root:root /var/ipfire/updatexlrator/bin -chmod 600 /var/ipfire/ovpn/ovpn-leases.db
# Delete scrubbed files rm -f \
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/nagios_nrpe | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/lfs/nagios_nrpe b/lfs/nagios_nrpe index a8b4b3676..260bcc810 100644 --- a/lfs/nagios_nrpe +++ b/lfs/nagios_nrpe @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nagios_nrpe -PAK_VER = 8 +PAK_VER = 9
DEPS = nagios-plugins
@@ -99,5 +99,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) install -v -m 644 ${DIR_SRC}/config/backup/includes/nagios_nrpe \ /var/ipfire/backup/addons/includes/nagios_nrpe
+ # Prevent NRPE binary from being owned by "nobody" + chown root:root /usr/lib/nagios/check_nrpe + @rm -rf $(DIR_APP) @$(POSTBUILD)
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/nagios-plugins | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lfs/nagios-plugins b/lfs/nagios-plugins index ad081d5f6..d35a94bbe 100644 --- a/lfs/nagios-plugins +++ b/lfs/nagios-plugins @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nagios-plugins -PAK_VER = 4 +PAK_VER = 5
DEPS =
@@ -88,4 +88,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP) + + # Prevent Nagios plugins from being owned (and hence writeable) by "nobody" + chown root:root -R /usr/lib/nagios/plugins + @$(POSTBUILD)
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/squid | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lfs/squid b/lfs/squid index 18cb30ef7..38675f3f3 100644 --- a/lfs/squid +++ b/lfs/squid @@ -149,7 +149,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown -R squid:squid /var/log/squid /var/log/cache /var/log/updatexlrator
cp /usr/lib/squid/cachemgr.cgi /srv/web/ipfire/cgi-bin/cachemgr.cgi - chown nobody.nobody /srv/web/ipfire/cgi-bin/cachemgr.cgi + chown root:root /srv/web/ipfire/cgi-bin/cachemgr.cgi
cp -f $(DIR_SRC)/config/updxlrator/updxlrator /usr/sbin/updxlrator cp -f $(DIR_SRC)/config/updxlrator/checkup /var/ipfire/updatexlrator/bin/checkup
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index d71c9688c..ce7b6f5bf 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -109,8 +109,12 @@ chmod -x \ /var/ipfire/fwhosts/icmp-types \ /var/ipfire/ovpn/ovpn-leases.db
-chown -R root:root /var/ipfire/urlfilter/bin -chown -R root:root /var/ipfire/updatexlrator/bin +chown -R root:root \ + /var/ipfire/updatexlrator/bin \ + /var/ipfire/urlfilter/bin + +chown root:root \ + /srv/web/ipfire/cgi-bin/cachemgr.cgi
# Delete scrubbed files rm -f \
-
Peter Müller