Bug#965359: marked as done (lynis: Denial of service by user creating symlink to /, disk space exhaustion due to verbose logging)

Mon, 17 Aug 2020 00:39:58 -0700 

Your message dated Mon, 17 Aug 2020 07:34:28 +0000
with message-id <[email protected]>
and subject line Bug#965359: fixed in lynis 3.0.0-2
has caused the Debian Bug report #965359,
regarding lynis: Denial of service by user creating symlink to /, disk space 
exhaustion due to verbose logging
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
965359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: lynis
Version: 3.0.0-1
Severity: critical
Tags: security
Justification: breaks unrelated software
X-Debbugs-Cc: [email protected], Debian Security Team 
<[email protected]>


root@debian:/var/log# grep lynis daemon.log | wc -l
21311825
root@debian:/var/log# grep lynis daemon.log.1 | wc -l
1986915
root@debian:/var/log# grep lynis syslog | wc -l
19082244
root@debian:/var/log# grep lynis syslog.1 | wc -l
2229585
root@debian:/var/log# ls -al | egrep 'syslog|daemon|lynis'
-rw-r----- 1 root              adm             22056719829 Jul 20 09:01 
daemon.log
-rw-r----- 1 root              adm              2139363076 Jul 19 00:00 
daemon.log.1
-rw-r----- 1 root              root                1406036 Jul 20 08:57 
lynis.log
-rw-r----- 1 root              root                 189897 Jul 20 08:57 
lynis-report.dat
-rw-r----- 1 root              adm             19752025179 Jul 20 09:01 syslog
-rw-r----- 1 root              adm              2308186335 Jul 20 00:00 syslog.1
-rw-r----- 1 root              adm                12446588 Jul 19 00:00 
syslog.2.gz
-rw-r----- 1 root              adm                 3843198 Jul 18 00:00 
syslog.3.gz
-rw-r----- 1 root              adm                 3957595 Jul 17 00:00 
syslog.4.gz
-rw-r----- 1 root              adm                  651678 Jul 16 00:00 
syslog.5.gz
root@debian:/var/log#


A sample:


Jul 19 00:12:00 localhost lynis[2755422]: find: File system loop detected; 
'/lib/live/mount/overlay/rw/home/user/bar/bin/X11' is part of the same file 
system loop as '/lib/live/mount/overlay/rw/home/user/bar/bin'.
Jul 19 00:12:00 localhost lynis[2755422]: find: File system loop detected; 
'/lib/live/mount/overlay/rw/home/user/bar/dev/fd/3' is part of the same file 
system loop as '/lib/live/mount/overlay/rw/home/user/bar'.
Jul 19 00:12:00 localhost lynis[2755422]: find: 
'/lib/live/mount/overlay/rw/home/user/bar/dev/fd/4': No such file or directory
Jul 19 00:12:00 localhost lynis[2755422]: find: File system loop detected; 
'/lib/live/mount/overlay/rw/home/user/bar/home/user/bar' is part of the same 
file system loop as '/lib/live/mount/overlay/rw/home/user/bar'.
Jul 19 00:12:00 localhost lynis[2755422]: find: File system loop detected; 
'/lib/live/mount/overlay/rw/home/user/bar/home/user/Games/apex-legends/dosdevices/f:/debian'
 is part of the same file system loop as 
'/lib/live/mount/overlay/rw/home/user/bar/home/user/Games/apex-legends/dosdevices/f:'.
Jul 19 00:12:00 localhost lynis[2755422]: find: File system loop detected; 
'/lib/live/mount/overlay/rw/home/user/bar/home/user/Games/apex-legends/dosdevices/z:'
 is part of the same file system loop as 
'/lib/live/mount/overlay/rw/home/user/bar'.
Jul 19 00:12:00 localhost lynis[2755422]: find: File system loop detected; 
'/lib/live/mount/overlay/rw/home/user/bar/home/user/.local/share/webkitgtk/databases/indexeddb/v0'
 is part of the same file system loop as 
'/lib/live/mount/overlay/rw/home/user/bar/home/user/.local/share/webkitgtk/databases/indexeddb'.
Jul 19 00:12:00 localhost lynis[2755422]: find: File system loop detected; 
'/lib/live/mount/overlay/rw/home/user/bar/lib' is part of the same file system 
loop as '/lib'.
Jul 19 00:12:00 localhost lynis[2755422]: find: File system loop detected; 
'/lib/live/mount/overlay/rw/home/user/bar/proc/self/task/2755422/fd/3' is part 
of the same file system loop as '/lib/live/mount/overlay/rw/home/user/bar'.
Jul 19 00:12:00 localhost lynis[2755422]: find: 
'/lib/live/mount/overlay/rw/home/user/bar/proc/self/task/2755422/fd/4': No such 
file or directory
Jul 19 00:12:00 localhost lynis[2755422]: find: 
'/lib/live/mount/overlay/rw/home/user/bar/proc/self/task/2755422/fdinfo/4': No 
such file or directory
Jul 19 00:12:00 localhost lynis[2755422]: find: File system loop detected; 
'/lib/live/mount/overlay/rw/home/user/bar/proc/6/cwd' is part of the same file 
system loop as '/lib/live/mount/overlay/rw/home/user/bar'.



It consumed all 160GB of my disk space easily.

All because `/home/user/bar -> /` symlink.

Lynis should not emit 'File system loop detected' to logs. It is not a
bug or error, similarly 'No such file or directory' should not be logged,
it is not a bug or error, but normal occurance.

Symlinks that do point back up, are normal, and shouldn't be logged, it
is normal occurance.


Multiple unrelated services got disrupted (including crashs), due to disk
space exhaustion, missing logs from other software, and other software
crashing with unsaved state (i.e. text editor, web browser, etc).

Regards,
Witold


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-1-amd64 (SMP w/32 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lynis depends on:
ii  e2fsprogs  1.45.6-1

Versions of packages lynis recommends:
ii  menu  2.1.47+b1

Versions of packages lynis suggests:
pn  aide                       <none>
pn  apt-listbugs               <none>
ii  bind9-dnsutils [dnsutils]  1:9.16.4-1
pn  debsecan                   <none>
ii  debsums                    3.0.0
ii  dnsutils                   1:9.16.4-1
ii  fail2ban                   0.11.1-2
pn  samhain                    <none>
pn  tripwire                   <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: lynis
Source-Version: 3.0.0-2
Done: =?utf-8?b?TWFyYyBEZXF1w6huZXMgKER1Y2sp?= <[email protected]>

We believe that the bug you reported is fixed in the latest version of
lynis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <[email protected]> (supplier of updated lynis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 17 Aug 2020 15:56:27 +0900
Source: lynis
Architecture: source
Version: 3.0.0-2
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <[email protected]>
Changed-By: Marc Dequènes (Duck) <[email protected]>
Closes: 965359
Changes:
 lynis (3.0.0-2) unstable; urgency=medium
 .
   * Fix find usage in DEB-0280 (Closes: #965359).
Checksums-Sha1:
 4e622b67a79d9853a30c8a46cc5477bbdc3813d9 2115 lynis_3.0.0-2.dsc
 7a207bf00a63022f71487b68c5b09be822ea4337 15204 lynis_3.0.0-2.debian.tar.xz
 54445382012d286a47c92dde7938735d4416cf81 5369 lynis_3.0.0-2_amd64.buildinfo
Checksums-Sha256:
 67cf626c8505381d4f7300535fb7a97e7c60aef9b11e25f7c393aca901c69b1b 2115 
lynis_3.0.0-2.dsc
 44c94486618f310c2f0ea7476f4f77148611c9f2107406e62d95accffb9337c1 15204 
lynis_3.0.0-2.debian.tar.xz
 c75e0a3691960380c17a87eb91fc9a9fd89264ce674e8037d76f1e06c2bec878 5369 
lynis_3.0.0-2_amd64.buildinfo
Files:
 7143a15da1784e5728afe49adb7f32bc 2115 utils optional lynis_3.0.0-2.dsc
 6f60a30cc7534db192797e02dd361e15 15204 utils optional 
lynis_3.0.0-2.debian.tar.xz
 3502f9346ba1572407982850152a47e8 5369 utils optional 
lynis_3.0.0-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAl86LE8ACgkQVen596wc
RD9hGBAA0iH2cJP4WNAYi8x6MqrT+2iyh7BZAoZInmAnbl/EmcEOoQiKrW0qoraJ
EGSWJt+EnIQdnTPI51I51lcJgUBdk1EFFZ8krf+E9gXxo6N6bi8brhQdT2Psc7tJ
YpswPebefgbpsE0fVyWXkL+YorqLf49Tms7LCGjTupVacc0+4+QmX4q5S1L1WfQl
S4hEyRkkvZkMFsrsnLYvYbHIFS4ankjyK/e1kqC1NjM8OoByhhz9R9iC08QvjwVf
6BD1X68nwCq+AC3VflaLwneFxGBfmUWI67/0fWFjGD9B9AQ/Iy8ZVxhnRCF6qg9j
m8Zd1anudh4Hq4jpoG0VEerjXVb68927PQ1i+GcN0wb06cikCc75BYLTDDYU9ukd
NfjJE9KlB5bzIXMS3EkFLni4cqAk2mUhvHc7UuG1BK564qxPl1l3g/OAeywdba6W
qSVflNORdazcy2UfkLNJyzuHPghGamDgYF8RDVFcSetk8akgt59kb8luMvD+3KX+
43RQeJWBLk0T3oSouYPQBJ8TzUeXG6IMoDRmHYw+ibzsvG0ir+RWLSTYQ+v57/4/
nGX2lSDXJ3Onov+N0ztcGQcKWxid34mksCEpFMVQHZMwlH9MqxT+LPat+XOnOcEb
OLxkN6f4nyolVYUYhYQXUM/oa+2H4iJL3cG1zZOXY0hb42SJUiQ=
=P+pu
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to