Debian Bug report logs - #620304
tmux: Incorrect dropping of privileges allows users to obtain utmp group privileges

version graph

Package: tmux; Maintainer for tmux is Romain Francoise <rfrancoise@debian.org>; Source for tmux is src:tmux.

Reported by: Daniel Danner <daniel@danner.de>

Date: Thu, 31 Mar 2011 21:51:02 UTC

Severity: serious

Tags: security

Found in version tmux/1.3-2

Fixed in versions tmux/1.4-6, tmux/1.3-2+squeeze1

Done: Karl Ferdinand Ebert <kfebert@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Karl Ferdinand Ebert <kfebert@gmail.com>:
Bug#620304; Package tmux. (Thu, 31 Mar 2011 21:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Danner <daniel@danner.de>:
New Bug report received and forwarded. Copy sent to Karl Ferdinand Ebert <kfebert@gmail.com>. (Thu, 31 Mar 2011 21:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Danner <daniel@danner.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tmux: Incorrect dropping of privileges allows users to obtain utmp group privileges
Date: Thu, 31 Mar 2011 23:42:23 +0200
Package: tmux
Version: 1.3-2
Severity: important


When running tmux with -S (specify custom socket path), the utmp
group privileges will not be dropped but inherited to any shells running
within tmux.

While /bin/bash gets kind of confused, strangely skips loading
/etc/profile, ~/.bashrc etc. and also drops the utmp privileges on its
own, using /bin/dash, for instance, allows to illustrate the issue:

1. run "SHELL=/bin/sh tmux -S whatever"
2. run "id" inside tmux
3. observe egid=43(utmp)

The problem is apparently introduced by 03_proper_socket_handling.diff
and 04_dropping_unnecessary_privileges.diff. The incorrectly placed call
to setresgid() in is not reached when a custom socket path is used.

-- System Information:
Debian Release: 6.0.1
  APT prefers squeeze-updates
  APT policy: (500, 'squeeze-updates'), (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages tmux depends on:
ii  libc6                    2.11.2-10       Embedded GNU C Library: Shared lib
ii  libevent-1.4-2           1.4.13-stable-1 An asynchronous event notification
ii  libncurses5              5.7+20100313-5  shared libraries for terminal hand

tmux recommends no packages.

tmux suggests no packages.

-- no debconf information




Severity set to 'serious' from 'important' Request was from Romain Francoise <rfrancoise@debian.org> to control@bugs.debian.org. (Mon, 04 Apr 2011 20:51:09 GMT) Full text and rfc822 format available.

Added tag(s) security. Request was from Romain Francoise <rfrancoise@debian.org> to control@bugs.debian.org. (Mon, 04 Apr 2011 20:51:11 GMT) Full text and rfc822 format available.

Reply sent to Karl Ferdinand Ebert <kfebert@gmail.com>:
You have taken responsibility. (Mon, 04 Apr 2011 21:36:09 GMT) Full text and rfc822 format available.

Notification sent to Daniel Danner <daniel@danner.de>:
Bug acknowledged by developer. (Mon, 04 Apr 2011 21:36:09 GMT) Full text and rfc822 format available.

Message #14 received at 620304-close@bugs.debian.org (full text, mbox):

From: Karl Ferdinand Ebert <kfebert@gmail.com>
To: 620304-close@bugs.debian.org
Subject: Bug#620304: fixed in tmux 1.4-6
Date: Mon, 04 Apr 2011 21:33:23 +0000
Source: tmux
Source-Version: 1.4-6

We believe that the bug you reported is fixed in the latest version of
tmux, which is due to be installed in the Debian FTP archive:

tmux_1.4-6.debian.tar.gz
  to main/t/tmux/tmux_1.4-6.debian.tar.gz
tmux_1.4-6.dsc
  to main/t/tmux/tmux_1.4-6.dsc
tmux_1.4-6_amd64.deb
  to main/t/tmux/tmux_1.4-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 620304@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Karl Ferdinand Ebert <kfebert@gmail.com> (supplier of updated tmux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 03 Apr 2011 18:28:42 +0200
Source: tmux
Binary: tmux
Architecture: source amd64
Version: 1.4-6
Distribution: unstable
Urgency: high
Maintainer: Karl Ferdinand Ebert <kfebert@gmail.com>
Changed-By: Karl Ferdinand Ebert <kfebert@gmail.com>
Description: 
 tmux       - terminal multiplexer
Closes: 620304
Changes: 
 tmux (1.4-6) unstable; urgency=high
 .
   * Fix "Incorrect dropping of privileges allows users to obtain utmp
     group privileges" by adjusting patch 04_drop_unnecessary_privileges.diff
     to drop privileges at the caller side (Closes: #620304).
Checksums-Sha1: 
 c2bbf3d964d10fd144244e4c78b30ec3338789cb 1201 tmux_1.4-6.dsc
 dff84c66ed2807352b3c132a809b3a55caa7bc07 11369 tmux_1.4-6.debian.tar.gz
 8dc266cc2a21610b8d2797073327437f5d388d5e 237088 tmux_1.4-6_amd64.deb
Checksums-Sha256: 
 98ce70c830c5f476c6ad383cc42b0075e4a0152df7f91ffba7cd7f01d2836f47 1201 tmux_1.4-6.dsc
 472038c1511037dabf2b75315235462aa0466b97a1d1839b3d31533f706f323a 11369 tmux_1.4-6.debian.tar.gz
 2291036b21af6cbec8615d2235f797b5d62667554428d195b3cc171e19943158 237088 tmux_1.4-6_amd64.deb
Files: 
 4314e786e11e5999eb35069433243a5a 1201 admin optional tmux_1.4-6.dsc
 0beee9320d0481914fcbe85a0cd18126 11369 admin optional tmux_1.4-6.debian.tar.gz
 1622ac3324457c68a948e30b6bb1a71f 237088 admin optional tmux_1.4-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFNmi7UogN2vsA8Vt8RAoCWAJ0a28Gf06CsDYQZ8XdjFYoSdpO4NwCgsh14
4oXbigDAhsh0r/rLKFL5yV8=
=jCP+
-----END PGP SIGNATURE-----





Reply sent to Karl Ferdinand Ebert <kfebert@gmail.com>:
You have taken responsibility. (Sat, 09 Apr 2011 01:57:06 GMT) Full text and rfc822 format available.

Notification sent to Daniel Danner <daniel@danner.de>:
Bug acknowledged by developer. (Sat, 09 Apr 2011 01:57:06 GMT) Full text and rfc822 format available.

Message #19 received at 620304-close@bugs.debian.org (full text, mbox):

From: Karl Ferdinand Ebert <kfebert@gmail.com>
To: 620304-close@bugs.debian.org
Subject: Bug#620304: fixed in tmux 1.3-2+squeeze1
Date: Sat, 09 Apr 2011 01:56:18 +0000
Source: tmux
Source-Version: 1.3-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
tmux, which is due to be installed in the Debian FTP archive:

tmux_1.3-2+squeeze1.debian.tar.gz
  to main/t/tmux/tmux_1.3-2+squeeze1.debian.tar.gz
tmux_1.3-2+squeeze1.dsc
  to main/t/tmux/tmux_1.3-2+squeeze1.dsc
tmux_1.3-2+squeeze1_amd64.deb
  to main/t/tmux/tmux_1.3-2+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 620304@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Karl Ferdinand Ebert <kfebert@gmail.com> (supplier of updated tmux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 04 Apr 2011 23:11:12 +0200
Source: tmux
Binary: tmux
Architecture: amd64 source
Version: 1.3-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Karl Ferdinand Ebert <kfebert@gmail.com>
Changed-By: Karl Ferdinand Ebert <kfebert@gmail.com>
Closes: 620304
Description: 
 tmux       - terminal multiplexer
Changes: 
 tmux (1.3-2+squeeze1) stable-security; urgency=high
 .
   * Fix "Incorrect dropping of privileges allows users to obtain utmp
     group privileges" by adjusting patch 04_drop_unnecessary_privileges.diff
     to drop privileges at the caller side (Closes: #620304).
Checksums-Sha1: 
 5d50f8d4a63fd9fd34cdc9e214104bdf072e96ac 1228 tmux_1.3-2+squeeze1.dsc
 4d132a5fa25ef049e023f154824f39b0d7e72ab0 251999 tmux_1.3.orig.tar.gz
 6bce736318908b7d783e4418024a43e446bf6e29 11288 tmux_1.3-2+squeeze1.debian.tar.gz
 8dee259050dc759b6533bab88473cec8488d17c0 224558 tmux_1.3-2+squeeze1_amd64.deb
Checksums-Sha256: 
 d608d0c9f66c3a1b70facba10a7f64308d36907110119590a3390e21f287d20e 1228 tmux_1.3-2+squeeze1.dsc
 72c2d6f1c30fb4ccbd29b530a7d8a08e67c9c2d87ac8d67e3806561670fc0362 251999 tmux_1.3.orig.tar.gz
 bbcea6f2d7eaa488c7dd3f1d7c91a21e9157dc2ea3a36ec90e75d0a540740614 11288 tmux_1.3-2+squeeze1.debian.tar.gz
 f83272b21fc86be75c0e1e69d94aecbb28359d8d7fed96a555ce78367aa20252 224558 tmux_1.3-2+squeeze1_amd64.deb
Files: 
 d9161e2e90e99b045efad9819781ddf0 1228 admin optional tmux_1.3-2+squeeze1.dsc
 96e60cb206de2db0610b9fb6a64c2251 251999 admin optional tmux_1.3.orig.tar.gz
 f1817497b89e006b3c0cf610299a8d3f 11288 admin optional tmux_1.3-2+squeeze1.debian.tar.gz
 faf8367e0fe246f5bce8207cf045254d 224558 admin optional tmux_1.3-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFNnASmogN2vsA8Vt8RArlyAKDXvO9ICiqYH/VFfJPKinMTZ9rsxwCgviLP
cNAo+EeznSgEmcMnxKM6eMU=
=vdX3
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ferdinand Ebert <kfebert@gmail.com>:
Bug#620304; Package tmux. (Tue, 12 Apr 2011 23:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Marriott <nicholas.marriott@gmail.com>:
Extra info received and forwarded to list. Copy sent to Karl Ferdinand Ebert <kfebert@gmail.com>. (Tue, 12 Apr 2011 23:06:04 GMT) Full text and rfc822 format available.

Message #24 received at 620304@bugs.debian.org (full text, mbox):

From: Nicholas Marriott <nicholas.marriott@gmail.com>
To: 620304@bugs.debian.org
Subject: tmux: Incorrect dropping of privileges allows users to obtain utmp group privileges
Date: Tue, 12 Apr 2011 23:31:12 +0100
Hi

Not to say I told you so or anything, but this might be a good time to
reiterate that doing this is a bad idea: the minor inconvenience it
prevents (easily avoided by the user with either tmux -S or by setting
TMPDIR) is much less of a potential problem than running with elevated
privileges.

Now I'm going to have to spend at least some of my time saying "no, not
tmux, Debian security problem"...

Nicholas




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#620304; Package tmux. (Wed, 13 Apr 2011 07:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Karl Ferdinand Ebert <kfebert@gmail.com>:
Extra info received and forwarded to list. (Wed, 13 Apr 2011 07:54:03 GMT) Full text and rfc822 format available.

Message #29 received at 620304@bugs.debian.org (full text, mbox):

From: Karl Ferdinand Ebert <kfebert@gmail.com>
To: Nicholas Marriott <nicholas.marriott@gmail.com>, 620304@bugs.debian.org
Subject: Re: Bug#620304: tmux: Incorrect dropping of privileges allows users to obtain utmp group privileges
Date: Wed, 13 Apr 2011 09:51:00 +0200
[Message part 1 (text/plain, inline)]
Hello Nicholas,

On Wed, Apr 13, 2011 at 12:31 AM, Nicholas Marriott <
nicholas.marriott@gmail.com> wrote:

> Hi
>
> Not to say I told you so or anything, but this might be a good time to
> reiterate that doing this is a bad idea: the minor inconvenience it
> prevents (easily avoided by the user with either tmux -S or by setting
> TMPDIR) is much less of a potential problem than running with elevated
> privileges.
>
Romain and I are about to change the behaviour and drop the privileges
completely.
Maybe at the end it will be only setting a proper TMPDIR or having a note
for the users to point out to how to use 'tmux -S'.
I should have considered this in the first place.

>
> Now I'm going to have to spend at least some of my time saying "no, not
> tmux, Debian security problem"...
>
As this is my fault for having introduced the modifcations I apologize
deeply for wasting your time.
For the record Ubuntu is affected too but not Fedora which has a seperate
group 'tmux'.

Best regards,

Ferdinand
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ferdinand Ebert <kfebert@gmail.com>:
Bug#620304; Package tmux. (Fri, 15 Apr 2011 19:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicholas Marriott <nicholas.marriott@gmail.com>:
Extra info received and forwarded to list. Copy sent to Karl Ferdinand Ebert <kfebert@gmail.com>. (Fri, 15 Apr 2011 19:03:03 GMT) Full text and rfc822 format available.

Message #34 received at 620304@bugs.debian.org (full text, mbox):

From: Nicholas Marriott <nicholas.marriott@gmail.com>
To: Karl Ferdinand Ebert <kfebert@gmail.com>
Cc: 620304@bugs.debian.org
Subject: Re: Bug#620304: tmux: Incorrect dropping of privileges allows users to obtain utmp group privileges
Date: Fri, 15 Apr 2011 20:01:02 +0100
Thanks, I'm glad to hear you are reconsidering this.

I might put it in the tmux FAQ as well.


On Wed, Apr 13, 2011 at 09:51:00AM +0200, Karl Ferdinand Ebert wrote:
>    Hello Nicholas,
> 
>    On Wed, Apr 13, 2011 at 12:31 AM, Nicholas Marriott
>    <[1]nicholas.marriott@gmail.com> wrote:
> 
>      Hi
> 
>      Not to say I told you so or anything, but this might be a good time to
>      reiterate that doing this is a bad idea: the minor inconvenience it
>      prevents (easily avoided by the user with either tmux -S or by setting
>      TMPDIR) is much less of a potential problem than running with elevated
>      privileges.
> 
>    Romain and I are about to change the behaviour and drop the privileges
>    completely.
>    Maybe at the end it will be only setting a proper TMPDIR or having a note
>    for the users to point out to how to use 'tmux -S'.
>    I should have considered this in the first place.
> 
>      Now I'm going to have to spend at least some of my time saying "no, not
>      tmux, Debian security problem"...
> 
>    As this is my fault for having introduced the modifcations I apologize
>    deeply for wasting your time.
>    For the record Ubuntu is affected too but not Fedora which has a seperate
>    group 'tmux'.
> 
>    Best regards,
> 
>    Ferdinand
> 
> References
> 
>    Visible links
>    1. mailto:nicholas.marriott@gmail.com




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Jun 2011 07:31:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 10:59:54 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.