Bug#993488: security-tracker: Revoked group permission on a user continue to take effect on all existing processes and sessions

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#993488: security-tracker: Revoked group permission on a user continue to take effect on all existing processes and sessions
From: xuancong84 <xuancong84@gmail.com>
Date: Thu, 02 Sep 2021 11:16:39 +0800
Message-id: <[🔎] 163055259969.14967.3870836304767378256.reportbug@localhost>
Reply-to: xuancong84 <xuancong84@gmail.com>, 993488@bugs.debian.org

Package: security-tracker
Severity: important
Tags: security

Dear Debian security team,

This bug deals with the lower framework of Linux/Debian system, it affects at
least all debian-based Linux Distros like Ubuntu, MX-Linux, etc.

Steps to reproduce:
1. create a new group called secure01
addgroup secure01

2. create files that are only accessible by the group
mkdir /mnt/secure-folder
echo yes >/mnt/secure-folder/secure-file
chown -R root:secure01 /mnt/secure-folder/
chmod -R o-rwx /mnt/secure-folder

3. add an existing user into the group
usermod -a -G secure01 user01

BUG1:
if user01 is already logged in, he still cannot access /mnt/secure-
folder/secure-file
ls: cannot open directory '/mnt/secure-folder/': Permission denied

4. del the user from the group
gpasswd -d user01 secure01

BUG2:
if user01 is already logged in or it has running tmux/screen sessions, he still
can access that group's /mnt/secure-folder/secure-file
user01@local:~$ cat /mnt/secure-folder/secure-file
yes


This bug is significant for a multi-user secure Linux environment. In a secure
network cluster, new data files are often dynamically added into the system
with new group permissions created, and some users are added into the group or
removed from the group depending on role change, task change, etc. However, the
changed permission does not reflect immediately on all the running processes
belonging to that user.

As a result, a user can have a persistent tmux/screen session (that does not go
away unless reboot) to continue to access group files he can access before,
even though his access permission has been revoked now.



-- System Information:
Debian Release: 10.10
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.57 (SMP w/12 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CPU_OUT_OF_SPEC, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Reply to:

Prev by Date: External check
Next by Date: Processed: closing 993488
Previous by thread: External check
Next by thread: Processed: closing 993488
Index(es):
- Date
- Thread