Embarrassing security bug in systemd
- Date: 06 Dec 2017 22:52:17 +0100
- From: Urs Thuermann <urs@xxxxxxxxxxxxxxxxx>
- Subject: Embarrassing security bug in systemd
Yesterday, my 10 years old son logged into my laptop running Debian
jessie using his account, and curiously asked if he is allowed to try
the /sbin/reboot command. Knowing I have a Linux system as opposed to
some crappy Win machine, I replied "sure, go ahead and try". Seconds
later I was completely shocked when the machine actually rebooted...
Of course, my son doesn't have any special privileges, no entry in
/etc/sudoers, etc. But then I see
$ ls -l /sbin/reboot
lrwxrwxrwx 1 root root 14 Apr 8 2017 /sbin/reboot -> /bin/systemctl
$ ls -l /bin/systemctl
-rwxr-xr-x 1 root root 538904 Apr 8 2017 /bin/systemctl
$ dpkg -S /bin/systemctl
The /bin/systemctl binary is not suid root, so I assume it
communicates to systemd which then reboots the machine without
checking what user the request comes from.
I wonder how can such a severe bug make it into a Debian stable
distribution? And is this just an insane default setting on Debian's
side or is it yet another instance of brain-dead systemd behavior?
Searching the man pages I couldn't find a way to fix this. How can
that be stopped?
 Of course, this is not docuemented in systemctl(1) as usual with
systemd. Also, according to the man page, systemctl must be
called with a "COMMAND" argument which /sbin/reboot doesn't do.
Obviously, systemctl looks at the name it was called and somehow
uses that as command. The admin shall guess about this.