Bug 1197463 - (CVE-2022-27814) AUDIT-FIND: CVE-2022-27814: swhkd: The `-c` Daemon Command Line Parameter Allows for Arbitrary File Existence Tests
(CVE-2022-27814)
AUDIT-FIND: CVE-2022-27814: swhkd: The `-c` Daemon Command Line Parameter All...
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Aakash Sen Sharma
E-mail List
:
Depends on:
Blocks: 1196890
  Show dependency treegraph
 
Reported: 2022-03-24 09:26 UTC by Matthias Gerstner
Modified: 2022-04-14 08:53 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2022-03-24 09:26:41 UTC
+++ This bug was initially created as a clone of Bug #1196890

This is to track parent bug issues 2.b):

 ## 2.b) The `-c` Daemon Command Line Parameter Allows for Arbitrary File Existence Tests

 Example:

     $ pkexec /usr/bin/swhkd -d -c /root/.somefile
     [2022-03-22T12:32:25Z ERROR swhkd] "/root/.somefile" doesn't exist

     $ pkexec /usr/bin/swhkd -d -c /root/.bash_history
     [...] (daemon starts "normal" operation)

Suggested Fix:

 ## 3.b) The Privileged Daemon needs to Drop Privileges to the User
Comment 1 Aakash Sen Sharma 2022-04-03 01:59:07 UTC
Hi, the following CVE has been fixed by Angelo from my team in the following patch: https://github.com/waycrate/swhkd/pull/102/files

Your insights on the patch will be very helpful.
Comment 2 Aakash Sen Sharma 2022-04-03 11:04:14 UTC
Updated patch link: https://github.com/waycrate/swhkd/pull/105/files.
Comment 3 Matthias Gerstner 2022-04-04 11:47:28 UTC
(In reply to aakashsensharma@gmail.com from comment #2)
> Updated patch link: https://github.com/waycrate/swhkd/pull/105/files.

Hmm, I don't see the reason why you are changing this to "cat" now. As I
suggested, dropping privileges to the invoking user will fix this, not
changing the way the file content is obtained.

You basically need to go the same route as in bug 1197468.
Comment 4 Aakash Sen Sharma 2022-04-05 01:16:57 UTC
https://github.com/waycrate/swhkd/pull/102 The following conversation might shed some light.

For some reason which I cannot diagnose yet, the effective uid is not taken into consideration by File::open()

I tried it both in config.rs file and in the main file and it just did not work

for now we're using cat as a hacky workaround but we'll make sure we get to the bottom of the uid issue.
Comment 5 Matthias Gerstner 2022-04-05 08:30:18 UTC
(In reply to aakashsensharma@gmail.com from comment #4)
> https://github.com/waycrate/swhkd/pull/102 The following conversation might shed some light.
> 
> For some reason which I cannot diagnose yet, the effective uid is not taken into consideration by File::open()
> 
> I tried it both in config.rs file and in the main file and it just did not work
> 
> for now we're using cat as a hacky workaround but we'll make sure we get to the bottom of the uid issue.

You shouldn't "fix" security issues if you don't exactly know what is going
on. You have to get to the bottom of this.

I commented in the PR# about a likely cause of this behaviour. Probably you
are not completely dropping root privileges.
Comment 6 Aakash Sen Sharma 2022-04-05 10:19:40 UTC
I read the pr comment. Going through the documentation of unistd to find the optimal way to get the gid of a user from uid.