I've awk-ed a list of the packages Upgraded or Installed on July 28th on
the affected PC (previous upgrade was on July 8th). I've put a ? in
front of those that could be suspect. That list is short:
grep '^?' Hacking/bug-groups-packages-updated.log
? gir1.2-polkit-1.0:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1),
? libpam-systemd:amd64 (237-3ubuntu10, 237-3ubuntu10.3),
? libpolkit-agent-1-0:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1),
? libpolkit-backend-1-0:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1),
? libpolkit-gobject-1-0:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1),
? libsystemd0:amd64 (237-3ubuntu10, 237-3ubuntu10.3),
? libsystemd0:i386 (237-3ubuntu10, 237-3ubuntu10.3),
? policykit-1:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1),
? systemd:amd64 (237-3ubuntu10, 237-3ubuntu10.3),
The entire list is attached in case I've missed something.
The command used to generate it was:
zcat history.log.1.gz | awk '/^Start-Date:.*2018-07-28/{FOUND=1; print
-bash} FOUND && /^(Install|Upgrade): / { LIST=gensub( /), /, "),\n",
"g", -bash) } { if(LIST != "") {gsub(/^(Install|Upgrade): /, "", LIST);
print "---"; print LIST | "sort"; print "---"; LIST=""}}' > ~/Hacking
/bug-groups-packages-updated.log
** Attachment added: "List of packages upgraded July 28th"
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+attachment/5170768/+files/bug-groups-packages-updated.log
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1784964
Title:
Regression due to CVE-2018-1116 (processes not inheriting user ID or
groups )
Status in policykit-1 package in Ubuntu:
Confirmed
Bug description:
This report is tracking a possible regression caused by the recent
CVE-2018-1116 patches to policykit-1.
On 18.04, since package upgrades on July 23rd, and after the first
reboot since then on Aug 1st, I hit an issue with the primary (sudo,
adm, etc...) user getting Permission Denied trying to do:
tail -f /var/log/syslog
when that file is owned by syslog:adm and is g=r.
I then found that "groups" reports only the $USER and not the entire
list, but "groups $USER" reports all the groups correctly.
The user shell is set to /usr/bin/tmux and /etc/tmux.conf has "set -g
default-shell /bin/bash"
After changing the user's shell back to /bin/bash and logging in on
tty1 the list of groups shows correctly for the /bin/bash process
running on tty1.
I investigated and found that for the affected processes, such as the
tmux process, /proc/$PID/loginuid = 4294967295 whereas the /bin/bash
process on tty1 correctly reported 1000. The same with the respective
gid_map and uid_map.
4294967295 == -1 == 0xFFFFFFFF
The recent CVE patch to policykit has several functions where it does
"uid = -1" which seems to tie in to my findings so far.
I also noticed Ubuntu is still based on version 0.105 which was
released in 2012 - upstream released 0.115 with the CVE patch.
I suspect the backporting has missed something.
The Ubuntu backport patch is:
https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu
/bionic-devel&id=840c50182f5ab1ba28c1d20cce4c207364852935
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
