Re: Embarrassing security bug in systemd

To: debian-user@lists.debian.org
Subject: Re: Embarrassing security bug in systemd
From: Roberto C. Sánchez <roberto@debian.org>
Date: Wed, 6 Dec 2017 17:30:00 -0500
Message-id: <[🔎] 20171206223000.zjgzmdw6w737eq4f@camaguey.connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] ygfindj7cdq.fsf@tehran.isnogud.escape.de>
References: <[🔎] ygfindj7cdq.fsf@tehran.isnogud.escape.de>

On Wed, Dec 06, 2017 at 10:52:17PM +0100, Urs Thuermann wrote:
> Yesterday, my 10 years old son logged into my laptop running Debian
> jessie using his account, and curiously asked if he is allowed to try
> the /sbin/reboot command.  Knowing I have a Linux system as opposed to
> some crappy Win machine, I replied "sure, go ahead and try".  Seconds
> later I was completely shocked when the machine actually rebooted...
> 
I just tried this (in a VM) and was shocked to find that it works.

> Of course, my son doesn't have any special privileges, no entry in
> /etc/sudoers, etc.  But then I see
> 
>     $ ls -l /sbin/reboot
>     lrwxrwxrwx 1 root root 14 Apr  8  2017 /sbin/reboot -> /bin/systemctl
>     $ ls -l /bin/systemctl
>     -rwxr-xr-x 1 root root 538904 Apr  8  2017 /bin/systemctl
>     $ dpkg -S /bin/systemctl
>     systemd: /bin/systemctl
> 
Here are the other things in /sbin symlinked to systemctl:

$ ls -l /sbin/ |grep systemctl
lrwxrwxrwx 1 root root        14 Jul  5 16:31 halt -> /bin/systemctl
lrwxrwxrwx 1 root root        14 Jul  5 16:31 poweroff -> /bin/systemctl
lrwxrwxrwx 1 root root        14 Jul  5 16:31 reboot -> /bin/systemctl
lrwxrwxrwx 1 root root        14 Jul  5 16:31 runlevel -> /bin/systemctl
lrwxrwxrwx 1 root root        14 Jul  5 16:31 shutdown -> /bin/systemctl
lrwxrwxrwx 1 root root        14 Jul  5 16:31 telinit -> /bin/systemctl

> The /bin/systemctl binary is not suid root, so I assume[1] it
> communicates to systemd which then reboots the machine without
> checking what user the request comes from.
> 
> I wonder how can such a severe bug make it into a Debian stable
> distribution?  And is this just an insane default setting on Debian's
> side or is it yet another instance of brain-dead systemd behavior?
> 
I too consider this a rather serious bug.  However, I do not see any
evidence in the BTS [0] that such a bug has yet been reported against
systemd.

> Searching the man pages I couldn't find a way to fix this.  How can
> that be stopped?
> 
I wonder the same thing.

Regards,

-Roberto

[0] https://bugs.debian.org/src:systemd

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: Embarrassing security bug in systemd
  - From: Ben Caradoc-Davies <ben@transient.nz>

References:
- Embarrassing security bug in systemd
  - From: Urs Thuermann <urs@isnogud.escape.de>

Prev by Date: Re: Embarrassing security bug in systemd
Next by Date: Re: Embarrassing security bug in systemd
Previous by thread: Re: Embarrassing security bug in systemd
Next by thread: Re: Embarrassing security bug in systemd
Index(es):
- Date
- Thread