--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ninja: Non-magic-group users treated as being in magic group
- From: ninjabug <ninjabugzzz@mailinator.com>
- Date: Mon, 24 Nov 2014 19:39:50 +0900
- Message-id: <20141124103950.2163.1999.reportbug@pc>
Package: ninja
Version: 0.1.3-2
Severity: important
Dear Maintainer,
I ran ninja from a root shell while logged into a standard user account,
initially with the attached ninja.conf and whitelist files using the
command "ninja /etc/ninja/ninja.conf".
"su" and "sudo" entries were removed from the whitelist file, and only
GID 0 was specified as the "magic group".
The (one and only) standard user account on this installation has a GID
of 1000.
I tested ninja by running "su" and "sudo synaptic -h" from a standard
user shell, and both times they were allowed to run. Here are samples
of entries from the nina log file:
NEW ROOT PROCESS: su[1763] ppid=1758 uid=0 gid=1000
- ppid uid=1000(user) gid=1000 ppid=1699
+ user is in magic group, all OK!
NEW ROOT PROCESS: sudo[1891] ppid=1850 uid=0 gid=1000
- ppid uid=1000(user) gid=1000 ppid=1699
+ user is in magic group, all OK!
I tried the above again after re-running ninja without a ninja.conf
specified and experienced the same results.
I had expected both su and sudo to be blocked by ninja since neither
were in the whitelist file and the user account was not in the magic
group.
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ninja depends on:
ii libc6 2.19-7
ii logrotate 3.8.7-1
ninja recommends no packages.
ninja suggests no packages.
-- Configuration Files:
/etc/ninja/ninja.conf changed:
group = 0
daemon = yes
interval = 0
logfile = /root/ninja.log
whitelist = /etc/ninja/whitelist
external_command = '!!! PRIVILEGE ESCALATION DETECTED !!!'
no_kill = no
no_kill_ppid = no
ignore_root_procs = yes
log_whitelist = no
require_init_wlist = no
proc_scan_offset = 0
/etc/ninja/whitelist changed:
/bin/fusermount:users:
/usr/bin/passwd:users:
/usr/bin/pulseaudio:users:
/usr/sbin/hald:haldaemon:
/usr/lib/hal/hald-runner:haldaemon:
-- no debconf information
--- End Message ---