Project

General

Profile

Bug #15829

Harden sudo config to avoid potential future privilege escalation

Added by intrigeri 4 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
08/21/2018
Due date:
% Done:

100%

Estimated time:
1.00 h
QA Check:
Pass
Feature Branch:
bugfix/15829-harden-sudo-config+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:

2018-10-19_17-07.png View (78.2 KB) lamby, 10/19/2018 09:07 PM


Related issues

Blocks Tails - Feature #15506: Core work 2018Q4: Foundations Team Confirmed 04/08/2018

Associated revisions

Revision 55473230 (diff)
Added by intrigeri 4 months ago

Harden sudo configuration (refs: #15829).

This should not be needed because at the moment, none of these commands do
anything with their command-line arguments (except poweroff and reboot but their
argument don't allow further privilege escalation), but better safe than sorry.

Revision 9554ae27
Added by intrigeri about 2 months ago

Merge branch 'bugfix/15829-harden-sudo-config+force-all-tests' into stable (Fix-committed: #15829)

History

#2 Updated by intrigeri 4 months ago

#3 Updated by intrigeri 4 months ago

  • Subject changed from Review sudo config for potential privilege escalation to Harden sudo config to avoid potential future privilege escalation
  • Description updated (diff)
  • Status changed from Confirmed to In Progress
  • Priority changed from High to Normal
  • Target version changed from Tails_3.9 to Tails_3.10.1
  • % Done changed from 0 to 10
  • Private changed from Yes to No
  • Feature Branch set to bugfix/15829-harden-sudo-config+force-all-tests
  • Type of work changed from Security Audit to Code

#4 Updated by intrigeri 4 months ago

  • Assignee changed from intrigeri to segfault
  • Estimated time set to 1.00 h
  • QA Check set to Ready for QA

1h because it would be nice to manually test the affected bits that our automated test suite does not exercise (i.e. I think only the boot profile part).

#5 Updated by intrigeri 4 months ago

  • % Done changed from 10 to 50

Forgot to say: it passes our full automated test suite.

#6 Updated by intrigeri 2 months ago

#7 Updated by intrigeri 2 months ago

#8 Updated by intrigeri 2 months ago

  • Assignee changed from segfault to lamby

(I think segfault has plenty enough on his plate for 3.10 => reassigning.)

@lamby: see comments above wrt. what should be manually tested. Thanks!

#9 Updated by lamby about 2 months ago

For those following along at home:

you can [append] "" to indicate that the command may only be run without command line arguments

#10 Updated by lamby about 2 months ago

  • File 2018-10-19_17-07.png View added
  • Assignee changed from lamby to intrigeri
  • QA Check changed from Ready for QA to Pass

Methodology:

I built branch bugfix/15829-harden-sudo-config+force-all-tests at a42340eb8ae681ed279826e3f11191f8c5869a26 to generate tails-amd64-bugfix_15829-harden-sudo-config+force-all-tests-3.10-20181019T1930Z-a42340eb8a.iso which has a SHAAA-1 of c88ebd186e373d2387f4fc4a0f9304233f836644.

Expected behaviour:

/usr/local/sbin/tails-debugging-info (and friends) should reject any parameters when run under sudo. Running without parameters should work as before/expected.

Saw behaviour:

$ sudo /usr/local/sbin/tails-debugging-info DISALLOW was rejected. $ sudo /usr/local/sbin/tails-debugging-info was allowed. See attached screenshot.

Conclusion:

I consider this tested, working and ready to merge.

#11 Updated by intrigeri about 2 months ago

Thank you. I'll test the "boot profile" part myself (mentioned in #15829#note-4 but clearly lacking pointers for you to understand what I was talking about; FTR this is about the code we have for "SquashFS file order" in https://tails.boum.org/contribute/release_process/) because it's probably too late to do another round-trip in time for 3.10. If that works, I'll merge.

#12 Updated by intrigeri about 2 months ago

lamby wrote:

Expected behaviour:

/usr/local/sbin/tails-debugging-info (and friends) should reject any parameters when run under sudo. Running without parameters should work as before/expected.

FTR the sudo config for tails-debugging-info was hardened 3.5 years ago and is not affected by the proposed branch.

#13 Updated by intrigeri about 2 months ago

  • QA Check changed from Pass to Ready for QA

#14 Updated by intrigeri about 2 months ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:

Thank you. I'll test the "boot profile" part myself (mentioned in #15829#note-4 but clearly lacking pointers for you to understand what I was talking about; FTR this is about the code we have for "SquashFS file order" in https://tails.boum.org/contribute/release_process/)

That works: the boot-profile process is correctly killed.

If that works, I'll merge.

Done! :)

#15 Updated by lamby about 2 months ago

If it helps, I also tested poweroff but naturally could not get a screenshot of it so thus did not use it as my documented testcase.!

#16 Updated by intrigeri about 2 months ago

  • Status changed from Fix committed to In Progress

Applied in changeset commit:d9c6ac1a2b83e62808921bd0f5ea88dd9bd343aa.

#17 Updated by intrigeri about 2 months ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF