diff options
| author | Tyler Hicks <tyhicks@canonical.com> | 2017-04-05 09:26:04 +1200 |
|---|---|---|
| committer | Robert Ancell <robert.ancell@canonical.com> | 2017-04-05 09:26:04 +1200 |
| commit | 1898dce397ca5d647214d89e846ad1f014244ab1 (patch) | |
| tree | c8276cd944c9ec24ad5abf8f3239427ad34a22d0 | |
| parent | 86c6734caf7dc2be62a2376e9b1c8a704b681875 (diff) | |
Detect existing malicious guest user home dirs
It was discovered that a local attacker could watch for lightdm's guest-account script to create a /tmp/guest-XXXXXX file and then quickly create the lowercase representation of the guest user's home directory before lightdm could. This allowed the attacker to have control of the guest user's home directory and, subsequently, gain control of an arbitrary directory in the filesystem which could lead to privilege escalation. This patch fixes the issue by detecting failures in creating a directory for the guest user's home directory. If the file (directory, symlink, etc.) already exists at the path, mkdir will fail and the script will exit. This means that it is still possible for a local user to carry out a denial of service on the guest user login feature.
| -rw-r--r-- | debian/guest-account.sh | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/debian/guest-account.sh b/debian/guest-account.sh index 48bbde69..f618390b 100644 --- a/debian/guest-account.sh +++ b/debian/guest-account.sh @@ -35,7 +35,13 @@ add_account () temp_home=$(mktemp -td guest-XXXXXX) GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]') GUEST_USER=${GUEST_HOME#/tmp/} - [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME} + if [ "${GUEST_HOME}" != "${temp_home}" ]; then + mkdir "${GUEST_HOME}" || { + echo "Failed to create ${GUEST_USER}'s home directory (${GUEST_HOME})" + exit 1 + } + rmdir "${temp_home}" + fi # if ${GUEST_USER} already exists, it must be a locked system account with no existing # home directory |