PR#14: mkhomedir: add support for pre-CVE-2020-10737 behavior - oddjob

oddjob

#14 mkhomedir: add support for pre-CVE-2020-10737 behavior

Merged 2 years ago by abbra. Opened 2 years ago by abbra.

abbra/oddjob restore-nfs-create-mkdir into master

mkhomedir: add support for pre-CVE-2020-10737 behavior

Alexander Bokovoy • 2 years ago

71b0389

src/mkhomedir.c

file modified

+13 -3

		`@@ -53,9 +53,11 @@`
		`static const char *skel_dir;`
		`static struct passwd *pwd;`
		`static mode_t override_umask;`
		`+ static int owner_mkdir_first = 0;`

		`#define FLAG_POPULATE (1 << 0)`
		`#define FLAG_QUIET (1 << 1)`
		`+ #define FLAG_OWNER_MKDIR_FIRST (1 << 2)`

		`/* Given the path of an item somewhere in the skeleton directory, create as`
		`* identical as possible a copy in the destination tree. */`
		`@@ -158,7 +160,7 @@`
		`* target user just yet to avoid potential race conditions`
		`* involving symlink attacks when we copy over the skeleton`
		`* tree. */`
		`- if (status->level == 0) {`
		`+ if (status->level == 0 && !owner_mkdir_first) {`
		`uid = 0;`
		`gid = 0;`
		`}`
		`@@ -222,6 +224,9 @@`
		`pwd->pw_dir);`
		`return HANDLER_INVALID_INVOCATION;`
		`}`
		`+ if (flags & FLAG_OWNER_MKDIR_FIRST) {`
		`+ owner_mkdir_first = 1;`
		`+ }`
		`if ((lstat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) {`
		`/* Figure out which location we're using as a`
		`* template. */`
		`@@ -237,7 +242,7 @@`
		`int res = nftw(get_skel_dir(), copy_single_item, 5,`
		`FTW_PHYS);`
		`/* only now give ownership to the target user */`
		`- if (res == 0) {`
		`+ if (res == 0 && !owner_mkdir_first) {`
		`res = chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid);`
		`}`

		`@@ -317,8 +322,11 @@`
		`umask(override_umask);`
		`skel_dir = "/etc/skel";`

		`- while ((i = getopt(argc, argv, "nqs:u:")) != -1) {`
		`+ while ((i = getopt(argc, argv, "nqfs:u:")) != -1) {`
		`switch (i) {`
		`+ case 'f':`
		`+ flags \|= FLAG_OWNER_MKDIR_FIRST;`
		`+ break;`
		`case 'n':`
		`flags &= ~FLAG_POPULATE;`
		`break;`
		`@@ -339,6 +347,8 @@`
		`break;`
		`default:`
		`fprintf(stderr, "Valid options:\n"`
		`+ "-f\tCreate home directory initially owned by user, "`
		`+ "not root. See man page for security issues.\n"`
		`"-n\tDo not populate home directories, "`
		`"just create them.\n"`
		`"-q\tDo not print messages when creating "`

src/oddjobd-mkhomedir.conf.5.in

file modified

		`@@ -10,6 +10,15 @@`

		`The mkhomedir helper itself accepts these options:`
		`.TP`
		`+ -f`
		`+ Restore behavior before CVE-2020-10737 was fixed: create the home directory`
		`+ with user's ownership directly rather than create it as a root and only after`
		`+ populating it change to the user's ownership. The former behavior is insecure`
		`+ but may be used to allow creation of NFS-mounted home directories when`
		`+ non-Kerberos authentication is in use. It is prone for a race condition that`
		`+ could be exploited in the NFS-mounted home directories use case. To avoid`
		`+ CVE-2020-10737, do not use \fB-f\fR option in production environments.`
		`+ .TP`
		`-q`
		`Refrain from outputting the usual "Creating home directory..." message when it`
		`creates a home directory.`

abbra commented 2 years ago

Pre-CVE-2020-10737 behavior was used to allow creating home directories
on NFS mounts when non-Kerberos authentication method is in use. This is
exactly the case where a race condition addressed by the CVE-2020-10737
fix could have happened. However, there are legit use cases where this
setup is needed.

Add '-f' option to mkhomedir helper to activate previous behavior. In
order to enable it, a change to oddjobd-mkhomedir.conf configuration
file is needed by explicitly adding '-f' option to the executable file
definition.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050079

Signed-off-by: Alexander Bokovoy abokovoy@redhat.com