|
 |
49aaf6 |
From 71b0389fbb31833d827f5f0fec18880c2f602753 Mon Sep 17 00:00:00 2001
|
|
|
49aaf6 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
49aaf6 |
Date: Thu, 19 May 2022 13:52:22 +0300
|
|
|
49aaf6 |
Subject: [PATCH] mkhomedir: add support for pre-CVE-2020-10737 behavior
|
|
|
49aaf6 |
|
|
|
49aaf6 |
Pre-CVE-2020-10737 behavior was used to allow creating home directories
|
|
|
49aaf6 |
on NFS mounts when non-Kerberos authentication method is in use. This is
|
|
|
49aaf6 |
exactly the case where a race condition addressed by the CVE-2020-10737
|
|
|
49aaf6 |
fix could have happened. However, there are legit use cases where this
|
|
|
49aaf6 |
setup is needed.
|
|
|
49aaf6 |
|
|
|
49aaf6 |
Add '-f' option to mkhomedir helper to activate previous behavior. In
|
|
|
49aaf6 |
order to enable it, a change to oddjobd-mkhomedir.conf configuration
|
|
|
49aaf6 |
file is needed by explicitly adding '-f' option to the executable file
|
|
|
49aaf6 |
definition.
|
|
|
49aaf6 |
|
|
|
49aaf6 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050079
|
|
|
49aaf6 |
|
|
|
49aaf6 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
49aaf6 |
---
|
|
|
49aaf6 |
src/mkhomedir.c | 16 +++++++++++++---
|
|
|
49aaf6 |
src/oddjobd-mkhomedir.conf.5.in | 9 +++++++++
|
|
|
49aaf6 |
2 files changed, 22 insertions(+), 3 deletions(-)
|
|
|
49aaf6 |
|
|
|
49aaf6 |
diff --git a/src/mkhomedir.c b/src/mkhomedir.c
|
|
|
49aaf6 |
index be85959..ac813a9 100644
|
|
|
49aaf6 |
--- a/src/mkhomedir.c
|
|
|
49aaf6 |
+++ b/src/mkhomedir.c
|
|
|
49aaf6 |
@@ -53,9 +53,11 @@ static const char *skel;
|
|
|
49aaf6 |
static const char *skel_dir;
|
|
|
49aaf6 |
static struct passwd *pwd;
|
|
|
49aaf6 |
static mode_t override_umask;
|
|
|
49aaf6 |
+static int owner_mkdir_first = 0;
|
|
|
49aaf6 |
|
|
|
49aaf6 |
#define FLAG_POPULATE (1 << 0)
|
|
|
49aaf6 |
#define FLAG_QUIET (1 << 1)
|
|
|
49aaf6 |
+#define FLAG_OWNER_MKDIR_FIRST (1 << 2)
|
|
|
49aaf6 |
|
|
|
49aaf6 |
/* Given the path of an item somewhere in the skeleton directory, create as
|
|
|
49aaf6 |
* identical as possible a copy in the destination tree. */
|
|
|
49aaf6 |
@@ -158,7 +160,7 @@ copy_single_item(const char *source, const struct stat *sb,
|
|
|
49aaf6 |
* target user just yet to avoid potential race conditions
|
|
|
49aaf6 |
* involving symlink attacks when we copy over the skeleton
|
|
|
49aaf6 |
* tree. */
|
|
|
49aaf6 |
- if (status->level == 0) {
|
|
|
49aaf6 |
+ if (status->level == 0 && !owner_mkdir_first) {
|
|
|
49aaf6 |
uid = 0;
|
|
|
49aaf6 |
gid = 0;
|
|
|
49aaf6 |
}
|
|
|
49aaf6 |
@@ -222,6 +224,9 @@ mkhomedir(const char *user, int flags)
|
|
|
49aaf6 |
pwd->pw_dir);
|
|
|
49aaf6 |
return HANDLER_INVALID_INVOCATION;
|
|
|
49aaf6 |
}
|
|
|
49aaf6 |
+ if (flags & FLAG_OWNER_MKDIR_FIRST) {
|
|
|
49aaf6 |
+ owner_mkdir_first = 1;
|
|
|
49aaf6 |
+ }
|
|
|
49aaf6 |
if ((lstat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) {
|
|
|
49aaf6 |
/* Figure out which location we're using as a
|
|
|
49aaf6 |
* template. */
|
|
|
49aaf6 |
@@ -237,7 +242,7 @@ mkhomedir(const char *user, int flags)
|
|
|
49aaf6 |
int res = nftw(get_skel_dir(), copy_single_item, 5,
|
|
|
49aaf6 |
FTW_PHYS);
|
|
|
49aaf6 |
/* only now give ownership to the target user */
|
|
|
49aaf6 |
- if (res == 0) {
|
|
|
49aaf6 |
+ if (res == 0 && !owner_mkdir_first) {
|
|
|
49aaf6 |
res = chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid);
|
|
|
49aaf6 |
}
|
|
|
49aaf6 |
|
|
|
49aaf6 |
@@ -317,8 +322,11 @@ main(int argc, char **argv)
|
|
|
49aaf6 |
umask(override_umask);
|
|
|
49aaf6 |
skel_dir = "/etc/skel";
|
|
|
49aaf6 |
|
|
|
49aaf6 |
- while ((i = getopt(argc, argv, "nqs:u:")) != -1) {
|
|
|
49aaf6 |
+ while ((i = getopt(argc, argv, "nqfs:u:")) != -1) {
|
|
|
49aaf6 |
switch (i) {
|
|
|
49aaf6 |
+ case 'f':
|
|
|
49aaf6 |
+ flags |= FLAG_OWNER_MKDIR_FIRST;
|
|
|
49aaf6 |
+ break;
|
|
|
49aaf6 |
case 'n':
|
|
|
49aaf6 |
flags &= ~FLAG_POPULATE;
|
|
|
49aaf6 |
break;
|
|
|
49aaf6 |
@@ -339,6 +347,8 @@ main(int argc, char **argv)
|
|
|
49aaf6 |
break;
|
|
|
49aaf6 |
default:
|
|
|
49aaf6 |
fprintf(stderr, "Valid options:\n"
|
|
|
49aaf6 |
+ "-f\tCreate home directory initially owned by user, "
|
|
|
49aaf6 |
+ "not root. See man page for security issues.\n"
|
|
|
49aaf6 |
"-n\tDo not populate home directories, "
|
|
|
49aaf6 |
"just create them.\n"
|
|
|
49aaf6 |
"-q\tDo not print messages when creating "
|
|
|
49aaf6 |
diff --git a/src/oddjobd-mkhomedir.conf.5.in b/src/oddjobd-mkhomedir.conf.5.in
|
|
|
49aaf6 |
index d7a2429..6e35ad5 100644
|
|
|
49aaf6 |
--- a/src/oddjobd-mkhomedir.conf.5.in
|
|
|
49aaf6 |
+++ b/src/oddjobd-mkhomedir.conf.5.in
|
|
|
49aaf6 |
@@ -10,6 +10,15 @@ directory.
|
|
|
49aaf6 |
|
|
|
49aaf6 |
The mkhomedir helper itself accepts these options:
|
|
|
49aaf6 |
.TP
|
|
|
49aaf6 |
+-f
|
|
|
49aaf6 |
+Restore behavior before CVE-2020-10737 was fixed: create the home directory
|
|
|
49aaf6 |
+with user's ownership directly rather than create it as a root and only after
|
|
|
49aaf6 |
+populating it change to the user's ownership. The former behavior is insecure
|
|
|
49aaf6 |
+but may be used to allow creation of NFS-mounted home directories when
|
|
|
49aaf6 |
+non-Kerberos authentication is in use. It is prone for a race condition that
|
|
|
49aaf6 |
+could be exploited in the NFS-mounted home directories use case. To avoid
|
|
|
49aaf6 |
+CVE-2020-10737, do not use \fB-f\fR option in production environments.
|
|
|
49aaf6 |
+.TP
|
|
|
49aaf6 |
-q
|
|
|
49aaf6 |
Refrain from outputting the usual "Creating home directory..." message when it
|
|
|
49aaf6 |
creates a home directory.
|
|
|
49aaf6 |
--
|
|
|
49aaf6 |
2.37.1
|
|
|
49aaf6 |
|