Run brew commands as regular user when lynis is invoked as root
#1564
+19
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Neved4
changed the title
brew commands as regular user when lynis is invoked as root
|
So this function:
RunBrewAsUser() {
{ "$(id -u)" && sudo -u "$SUDO_USER" brew "$@"; } || brew "$@"
}
...begins by expanding the command substitution, `"$(id -u)"`. In Bash 5.2
in Posix mode, this comsub outputs '10151' to Stdout. On a Linux machine it
might print something in the low 1000's range. Any code before '&&' is read
by the shell as one entire command, so, since this particular command line
contains just one string, the shell will most likely search PATH for a
command named 10151 (unless there is an alias or function by that name).
This is probably not what was intended.
In Linux, system commands can begin with digits, but neither 10151 nor 1000
nor 0 are common command names, so a bad actor could place a malicious
script or program in PATH which the kernel would then attempt to execute.
If lynis had been executed with root permissions, and if such a malicious
script or program as this existed, then, my understanding at this time is
that the kernel would be instructed by the user to execute such a program
with root privileges. ?
Wiley
…On Mon, Oct 21, 2024, 05:40 ⑆ Neveda ⑈ ***@***.***> wrote:
Runs Homebrew commands as original user when Lynis is invoked as root
Fixes #382 <#382>, related #1273
<#1273>.
Instead of running Homebrew as the root user, this change runs it as a
normal user, which is the intended use case for Homebrew. After the change,
the command is run a non-root user context, which seems a way to
effectively drop privileges.
Note
The function could have a different or more descriptive name, refactored
to be more compact, etc. See:
RunBrewAsUser() {
{ "$(id -u)" && sudo -u "$SUDO_USER" brew "$@"; } || brew "$@"
}
------------------------------
Security
Thanks to brew's safeguards this might not be exploitable, but including
the following information for reference.
MITRE CWE-250 <https://cwe.mitre.org/data/definitions/250.html> is
related to this change:
CWE ID CWE Title Description
CWE-250 <https://cwe.mitre.org/data/definitions/250.html> Execution with
Unnecessary Privileges The software runs with more privileges than
necessary, which can lead to security vulnerabilities.
This change follows REF-76
<https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege>
by dropping the privileges as soon as possible:
*Run your code using the lowest privileges that are required to accomplish
the necessary tasks.*
*Wrap and centralize this functionality if possible, and isolate the
privileged code as much as possible from other code.*
*Raise privileges as late as possible, and drop them as soon as possible
to avoid CWE-271 <https://cwe.mitre.org/data/definitions/271.html>.*
Source: *CWE-250: Execution with Unnecessary Privileges*
<https://cwe.mitre.org/data/definitions/250.html>.
------------------------------
You can view, comment on, or merge this pull request online at:
#1564
Commit Summary
- ec13cf8
<ec13cf8>
Run brew as regular user in place of root
File Changes
(2 files <https://github.com/CISOfy/lynis/pull/1564/files>)
- *M* include/functions
<https://github.com/CISOfy/lynis/pull/1564/files#diff-6b1c9d5fa25dcef458956914b06d9a272a7dbb697dde7953818b368df3068168>
(17)
- *M* include/tests_ports_packages
<https://github.com/CISOfy/lynis/pull/1564/files#diff-ac2f15c8a8f71ea9668c7b5bc1640e1273fd5c288e7925974d482e3f48ca13a1>
(4)
Patch Links:
- https://github.com/CISOfy/lynis/pull/1564.patch
- https://github.com/CISOfy/lynis/pull/1564.diff
—
Reply to this email directly, view it on GitHub
<#1564>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUF2F27MGYTAIFZ5TIJAZWDZ4TY5LAVCNFSM6AAAAABQKCQZHKVHI2DSMVQWIX3LMV43ASLTON2WKOZSGYYDENBSHE3DCNA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Have I gotten anything wrong in this reply? It's been kind of a weird day. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #382, related #1273.
Instead of running Homebrew as the root user, this change runs it as a normal user, which is the intended use case for Homebrew. After the change, the command is run a non-root user context, which seems a way to effectively drop privileges.
This prevents raising the error:
Note: the function could have a different descriptive name, refactored to be more compact, etc. See:
Security
Thanks to
brew's safeguards this might not be exploitable, but including the following for reference.MITRE's CWE-250 is related to this change:
This change follows REF-76 by dropping the privileges as soon as possible, as in: