#14 mkhomedir: add support for pre-CVE-2020-10737 behavior
Opened a month ago by abbra. Modified a month ago

file modified
+13 -3
@@ -53,9 +53,11 @@ 

  static const char *skel_dir;

  static struct passwd *pwd;

  static mode_t override_umask;

+ static int owner_mkdir_first = 0;

  

  #define FLAG_POPULATE	(1 << 0)

  #define FLAG_QUIET	(1 << 1)

+ #define FLAG_OWNER_MKDIR_FIRST (1 << 2)

  

  /* Given the path of an item somewhere in the skeleton directory, create as

   * identical as possible a copy in the destination tree. */
@@ -158,7 +160,7 @@ 

  		 * target user just yet to avoid potential race conditions

  		 * involving symlink attacks when we copy over the skeleton

  		 * tree. */

- 		if (status->level == 0) {

+ 		if (status->level == 0 && !owner_mkdir_first) {

  			uid = 0;

  			gid = 0;

  		}
@@ -222,6 +224,9 @@ 

  		       pwd->pw_dir);

  		return HANDLER_INVALID_INVOCATION;

  	}

+ 	if (flags & FLAG_OWNER_MKDIR_FIRST) {

+ 		owner_mkdir_first = 1;

+ 	}

  	if ((lstat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) {

  		/* Figure out which location we're using as a

  		 * template. */
@@ -237,7 +242,7 @@ 

  				int res = nftw(get_skel_dir(), copy_single_item, 5,

  					       FTW_PHYS);

  				/* only now give ownership to the target user */

- 				if (res == 0) {

+ 				if (res == 0 && !owner_mkdir_first) {

  					res = chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid);

  				}

  
@@ -317,8 +322,11 @@ 

  	umask(override_umask);

  	skel_dir = "/etc/skel";

  

- 	while ((i = getopt(argc, argv, "nqs:u:")) != -1) {

+ 	while ((i = getopt(argc, argv, "nqfs:u:")) != -1) {

  		switch (i) {

+ 		case 'f':

+ 			flags |= FLAG_OWNER_MKDIR_FIRST;

+ 			break;

  		case 'n':

  			flags &= ~FLAG_POPULATE;

  			break;
@@ -339,6 +347,8 @@ 

  			break;

  		default:

  			fprintf(stderr, "Valid options:\n"

+ 				"-f\tCreate home directory initially owned by user, "

+ 				"not root. See man page for security issues.\n"

  				"-n\tDo not populate home directories, "

  				"just create them.\n"

  				"-q\tDo not print messages when creating "

@@ -10,6 +10,15 @@ 

  

  The mkhomedir helper itself accepts these options:

  .TP

+ -f

+ Restore behavior before CVE-2020-10737 was fixed: create the home directory

+ with user's ownership directly rather than create it as a root and only after

+ populating it change to the user's ownership. The former behavior is insecure

+ but may be used to allow creation of NFS-mounted home directories when

+ non-Kerberos authentication is in use. It is prone for a race condition that

+ could be exploited in the NFS-mounted home directories use case. To avoid

+ CVE-2020-10737, do not use \fB-f\fR option in production environments.

+ .TP

  -q

  Refrain from outputting the usual "Creating home directory..." message when it

  creates a home directory.

Pre-CVE-2020-10737 behavior was used to allow creating home directories
on NFS mounts when non-Kerberos authentication method is in use. This is
exactly the case where a race condition addressed by the CVE-2020-10737
fix could have happened. However, there are legit use cases where this
setup is needed.

Add '-f' option to mkhomedir helper to activate previous behavior. In
order to enable it, a change to oddjobd-mkhomedir.conf configuration
file is needed by explicitly adding '-f' option to the executable file
definition.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050079

Signed-off-by: Alexander Bokovoy abokovoy@redhat.com