dhcp3-server fails to drop privileges properly

Bug #727837 reported by Juha Erkkilä
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dhcp3 (Ubuntu)
Won't Fix
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
isc-dhcp (Ubuntu)
Fix Released
Undecided
Stéphane Graber
Natty
Won't Fix
Undecided
Unassigned
Oneiric
Won't Fix
Undecided
Unassigned
Precise
Fix Released
Medium
Stéphane Graber
Quantal
Fix Released
Undecided
Stéphane Graber

Bug Description

Binary package hint: dhcp3-server

In debian/patches/droppriv.dpatch there is some privilege dropping code in function drop_privileges(). This fails to drop privileges of root-group and does not initialize the groups properly.

One can test this by adding:

on commit {
  execute("/usr/local/bin/dhcp_group_test");
}

to /etc/dhcp3/dhcpd.conf, and then write /usr/local/bin/dhcp_group_test to log the output of "id" to some file. (You may wish to turn apparmor off for this test, but it can be done with it as well). The output should read:

uid=112(dhcpd) gid=120(dhcpd) groups=0(root)

This means that dhcp will retain the root-group privileges and is missing other groups that a user may have possibly defined for it.

The fix would be to use either initgroups() or setgroups() function properly in drop_privileges(). Doing this should also fix this bug: https://bugs.launchpad.net/ubuntu/+source/dhcp3/+bug/341817

This is:

Description: Ubuntu 10.04.1 LTS
Release: 10.04

dhcp3-server:
  Installed: 3.1.3-2ubuntu3
  Candidate: 3.1.3-2ubuntu3
  Version table:
 *** 3.1.3-2ubuntu3 0
        500 http://mirror.opinsys.fi/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

Changed in isc-dhcp (Ubuntu):
status: New → Confirmed
Changed in isc-dhcp (Ubuntu Lucid):
status: New → Invalid
Changed in isc-dhcp (Ubuntu Maverick):
status: New → Invalid
Changed in isc-dhcp (Ubuntu Dapper):
status: New → Invalid
Changed in isc-dhcp (Ubuntu Hardy):
status: New → Invalid
Changed in isc-dhcp (Ubuntu Karmic):
status: New → Invalid
Changed in dhcp3 (Ubuntu Lucid):
status: New → Confirmed
Changed in dhcp3 (Ubuntu Maverick):
status: New → Confirmed
Changed in dhcp3 (Ubuntu Natty):
status: New → Confirmed
Changed in dhcp3 (Ubuntu Dapper):
status: New → Confirmed
Changed in dhcp3 (Ubuntu Hardy):
status: New → Confirmed
Changed in dhcp3 (Ubuntu Karmic):
status: New → Confirmed
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in dhcp3 (Ubuntu Dapper):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in dhcp3 (Ubuntu Karmic):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in dhcp3 (Ubuntu Maverick):
status: Confirmed → Won't Fix
no longer affects: dhcp3 (Ubuntu Dapper)
no longer affects: dhcp3 (Ubuntu Natty)
no longer affects: dhcp3 (Ubuntu Karmic)
no longer affects: isc-dhcp (Ubuntu Maverick)
no longer affects: isc-dhcp (Ubuntu Lucid)
no longer affects: isc-dhcp (Ubuntu Karmic)
no longer affects: dhcp3 (Ubuntu Maverick)
no longer affects: isc-dhcp (Ubuntu Dapper)
no longer affects: isc-dhcp (Ubuntu Hardy)
no longer affects: dhcp3 (Ubuntu Quantal)
no longer affects: dhcp3 (Ubuntu Precise)
no longer affects: dhcp3 (Ubuntu Oneiric)
Changed in isc-dhcp (Ubuntu Quantal):
status: Confirmed → In Progress
assignee: nobody → Stéphane Graber (stgraber)
Revision history for this message
Stéphane Graber (stgraber) wrote :

For quantal I'll simply start using --enable-paranoia, introduced upstream with 4.1 that adds support for -user and -group to dhcpd.

I confirmed with the testcase above that groups is properly set using that option.

Changed in isc-dhcp (Ubuntu Quantal):
status: In Progress → Fix Committed
Revision history for this message
Stéphane Graber (stgraber) wrote :

For previous releases, I think the attached patch should do the trick.

security-team: any problem with that patch? do you want to have this issued as a security fix for previous releases?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks Stéphane,

This isn't a security flaw per se requiring a CVE. If you have something to SRU in previous releases, you can include this, else we'll bundle it next time we do have a security issue to fix.

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (7.6 KiB)

This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu1

---------------
isc-dhcp (4.2.4-1ubuntu1) quantal; urgency=low

  * Merge from Debian. Remaining changes:
    (LP: #768171, LP: #841182, LP: #881558, LP: #872929, LP: #616809)
    - Use upstart jobs for isc-dhcp-server and isc-dhcp-relay.
    - Add IPv6 support to udeb dhclient-script (forwarded as Debian #635897).
    - Add an apport hook to isc-dhcp-client and isc-dhcp-server.
    - Add an apparmor profile to isc-dhcp-client and isc-dhcp-server.
    - Update default dhclient.conf to ask for IPv6 configuration.
    - Patches:
      + dhclient-fix-backoff
      + dhclient-more-debug
      + dhclient-onetry-call-clientscript
      + dhclient-safer-timeout
      + dhcpd.conf-subnet-examples
      + multi-ip-addr-per-if
      + onetry_retry_after_initial_success
      + revert-next-server
  * Set fqdn.fqdn to the result of gethostname(); (LP: #991360)
  * Replace old droppriv and deroot patches by use of --enable-paranoia
    and matching -user and -group parameters to dhcpd. (LP: #727837)
  * Allow read access to /etc/dhcp/ddns-keys/* for ddns. (LP: #341817)
    It's expected that people generate one key per zone and have it stored
    in both /etc/bind9 and /etc/dhcp/ddns-keys/ for security reason.
  * Fix apport hook to work with python3.

isc-dhcp (4.2.4-1) unstable; urgency=low

  * New upstream release
  * debian/control: reformatted Uploaders so that dch doesn't think I'm making
    NMUs
  * debian/rules: do a clean between the LDAP-enabled build and the
    non-LDAP-enabled one, so that no LDAP-related artefacts are accidently
    incorporated into the non-LDAP build
  * debian/dhclient-script.*: conditionalise the chown/chmod of the new
    resolv.conf on the existence of the old one (closes: #595400)
  * debian/dhclient-script.linux: comply with RFC 3442 and ignore
    the routers option if the rfc3442-classless-static-routes option is present
    (closes: #592735)
  * debian/dhclient-script.kfreebsd: fix subnet mask handling (closes: #677985)

isc-dhcp (4.2.2.dfsg.1-5) unstable; urgency=medium

  [ Andrew Pollock ]
  * debian/dhclient.conf: send the hostname (closes: #151820)

  [ Michael Gilbert ]
  * Fix cve-2011-4868: error in DDNS handling with IPv6 (closes: #655746)
  * Fix cve-2011-4539: error in regular expression handling
    (closes: #652259)
  * Make dependencies diff-able
  * Add myself to uploaders
  * Remove all automatically generated files in clean rule
  * Medium urgency for security updates

isc-dhcp (4.2.2.dfsg.1-4) unstable; urgency=low

  * The "Zoe woke up at 4am and I couldn't get back to sleep so I had some
    extra time to work on this" release
  * patch the Makefile for the embedded BIND libraries so that autoconf is run
    so that the modification to configure.in to fix the FTBFS on kFreeBSD
    actually does something useful (closes: #643569)

isc-dhcp (4.2.2.dfsg.1-3) unstable; urgency=low

  * debian/control: remove transitional packages
  * debian/rules: apply the intent of Pierre Chifflier's patch to enable
    hardening options (closes: #644413)
  * debian/control: also add inetutils-ping to the dependencies for
    isc-dhcp-client on hurd (...

Read more...

Changed in isc-dhcp (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Stéphane Graber (stgraber) wrote :

Fix committed to my local branch, should get uploaded later this week.

Changed in isc-dhcp (Ubuntu Precise):
status: New → In Progress
assignee: nobody → Stéphane Graber (stgraber)
Changed in isc-dhcp (Ubuntu Precise):
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in isc-dhcp (Ubuntu Natty):
status: Confirmed → Won't Fix
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Juha, or anyone else affected,

Accepted isc-dhcp into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/isc-dhcp/4.1.ESV-R4-0ubuntu5.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in isc-dhcp (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

I remember testing this and nobody reported any regression, good to go.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu5.6

---------------
isc-dhcp (4.1.ESV-R4-0ubuntu5.6) precise-proposed; urgency=low

  [ Scott Moser ]
  * debian/apparmor-profile.dhcpd: use include directory to enable
    other packages to re-use isc-dhcp-server. (LP: #1049177)

  [ Stéphane Graber ]
  * Update onetry_retry_after_initial_success to disable the onetry variable
    early enough to actually prevent dhclient from exiting. (LP: #974284)
  * Update droppriv patch to also call initgroups() (LP: #727837)
 -- Stephane Graber <email address hidden> Tue, 18 Sep 2012 10:34:10 -0400

Changed in isc-dhcp (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against hardy is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in dhcp3 (Ubuntu Hardy):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in isc-dhcp (Ubuntu Oneiric):
status: New → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in dhcp3 (Ubuntu Lucid):
status: Confirmed → Won't Fix
Revision history for this message
Steve Beattie (sbeattie) wrote :

dhcp3 was superceded by isc-dhcp between lucid and precise and therefore is not available under any supported ubuntu release. Marking the task dhcp3 as "Won't Fix".

Changed in dhcp3 (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.