Headline
CVE-2015-7529: CVE-2015-7529 - predictable tmp files usage · Issue #696 · sosreport/sos
sosreport in SoS 3.x allows local users to obtain sensitive information from sosreport files or gain privileges via a symlink attack on an archive file in a temporary directory, as demonstrated by sosreport-$hostname-$date.tar in /tmp/sosreport-$hostname-$date.
Mateusz Guzik reports that sos-3.x is vulnerable to symbolic link attacks since it uses predictable temporary file names in the configured --tmp-dir location. If this location is shared with other users (the default on most distributions) then it is possible for a malicious user to obtain content from the archive and in some circumstances to execute arbitrary commands with administrative privileges.
Instead of using the default system temporary directory (/tmp, /var/tmp) use a private directory that excludes non-administrative users from searching or reading the directory contents, e.g.:
# mkdir /var/tmp/sos
# chmod 700 /var/tmp/sos
# sosreport --tmp-dir /var/tmp/sos
Note that the chmod is not strictly necessary assuming the root user’s umask is set appropriately.
Recent kernels support the protected_symlinks feature that can be used to mitigate this class of attack and this is enable by default by most distributions that support the feature:
/proc/sys/fs/protected_symlinks (since Linux 3.6)
When the value in this file is 0, no restrictions are placed on following
symbolic links (i.e., this is the historical behavior before Linux 3.6).
When the value in this file is 1, symbolic links are followed only in
the following circumstances:
* the filesystem UID of the process following the link matches the
owner (UID) of the symbolic link (as described in credentials(7),
a process's filesystem UID is normally the same as its effective UID);
* the link is not in a sticky world-writable directory; or
* the symbolic link and its parent directory have the same owner (UID)
A system call that fails to follow a symbolic link because of the above
restrictions returns the error EACCES in errno.
The default value in this file is 0. Setting the value to 1 avoids a
longstanding class of security issues based on time-of-check, time-of-use
races when accessing symbolic links.
Note that relying on the protect_symlinks feature does not entirely eliminate risk: an attacker could create a regular file that they own (in place of the output file sos expects to create) and use this to obtain archive content that would not normally be exposed to their user and group ID.
Users of sosreport are recommended to use an alternate --tmp-dir setting whenever possible.
A fix for this problem is currently in master and will be included in the next sos release. This may be backported to earlier releases carried by distributions. Concerned users should contact their distribution’s normal support channels for information regarding updated packages to fix this flaw.