Page MenuHomePhabricator

enlightenment_system: /etc/enlightenment/sysactions.conf limitations are ineffective
Closed, ResolvedPublic

Description

f) /etc/enlightenment/sysactions.conf limitations are ineffective

There is a security mechanism implemented based on the file
/etc/enlightenment/sysactions.conf. This file defines which users/groups
are allowed to execute the enlightenment_system binary in the first place.

The _etc_enlightenment_system_conf() function parses this file. However
there seems to be a while or for loop body missing. Instead only the first
line of the file is ever parsed, which happens to be a comment line by
default. The logic in the function defaults to "allow everything" if nothing
else was determined. Thus this security mechanism is currently ineffective
and all users in the system can use the full functionality of the setuid-root
program.

I suggest to deny access by default and correct the algorithm to correctly
parse the configuration file.

http://bugzilla.suse.com/show_bug.cgi?id=1170169

simotek created this task.Apr 22 2020, 4:05 AM
simotek triaged this task as High priority.

i can't deny by default. the problem is the file installed is in PREFIX by defualt unless you change it and it's not used but a sample. the /etc/enlightenment/system.conf file is intended for distros to provide policy - if not provided then the policy is "allow" because users need this access. well if the file doesn't exist i have to allow. i cant do prefix searching because this is setuid. i can only rely on compile in prefix and since s is meant to be relocatable this kind of breaks then...

so it's "allow unless distro policy says otherwise". it could change the group and relevant exec perms on enlightenment_system and only members of a specific group get access to run it. but to have more than 1 group be able to, i need the above (in a traditional model. acl's notwithstanding).

the system.conf file is expected to provide a deny rule at the end if you want a policy of "deny unless an allow rule matches". otherwise it'll allow... :) the sample file installed does explain this :) that's why it has a deny at the end to have that effect of deny unless an allow matches

what i did was forget my for loop... silly me... :) never tested it.

i can't deny by default. the problem is the file installed is in PREFIX by defualt unless you change it and it's not used but a sample. the /etc/enlightenment/system.conf file is intended for distros to provide policy - if not provided

Then it should still be possible to deny by default if the file exists, no?