I'm not sure whether this is the right place to write this, but those permission checks look really racy - both the file type test and the file owner UID check. (Besides, I think that an attacker should be able to hardlink a file created by another user into his directory, which would also lead to a bypass of the UID equality check, but I'm not familiar enough with ubuntu to be able to say whether that attack is actually feasible.)
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to upstart in Ubuntu. https://bugs.launchpad.net/bugs/1425685 Title: Missing input sanitation in upstart logrotation cronjob Status in upstart package in Ubuntu: Fix Released Bug description: Ubuntu Vivid 1504 (development branch) installs an insecure upstart logrotation script which will read user-supplied data from /run/user/[uid]/upstart/sessions and pass then unsanitized to an env command. As user run directory is user-writable, the user may inject arbitrary commands into the logrotation script, which will be executed during daily cron job execution around midnight with root privileges. Problematic part of /etc/cron.daily/upstart: for session in /run/user/*/upstart/sessions/* do env $(cat $session) /sbin/initctl emit rotate-logs >/dev/null 2>&1 || true done On a system with e.g. libpam-systemd installed, standard login on TTY or via SSH will create the directory /run/user/[uid] writable to the user. By preparing a suitable session file, user supplied code will be run during the daily cron-jobs. See [1] for more information. # lsb_release -rd Description: Ubuntu Vivid Vervet (development branch) Release: 15.04 # apt-cache policy upstart-bin upstart-bin: Installed: 1.13.2-0ubuntu7 Candidate: 1.13.2-0ubuntu7 Version table: *** 1.13.2-0ubuntu7 0 500 http://archive.ubuntu.com/ubuntu/ vivid/main i386 Packages 100 /var/lib/dpkg/status [1] http://www.halfdog.net/Security/2015/UpstartLogrotationPrivilegeEscalation/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1425685/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
