CVE-2017-18078

Published: 29 January 2018

systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.

Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
systemd
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

Patches:
Upstream: https://github.com/systemd/systemd/commit/5579f85663d10269e7ac7464be6548c99cea4ada

Notes

AuthorNote
ratliff
mitigated by fs.protected_hardlinks = 1
mdeslaur
patch simply refuses to set hardlink file permissions if the
kernel hardening feature is turned off, which may result in
breakage. We will not be releasing an update for this issue as
our default configuration is not vulnerable.

References

Bugs