Bugzilla – Bug 1197464
AUDIT-FIND: CVE-2022-27815: swhkd: Use of Fixed Temporary File in /tmp/swhkd.pid
Last modified: 2022-04-14 08:55:30 UTC
+++ This bug was initially created as a clone of Bug #1196890 This is to track issue 2.a) of the parent bug: ## 2.a) Use of Fixed Temporary File in /tmp/swhkd.pid The daemon running as root uses this path to records its own PID for instance monitoring. This fixed path has the following issues: - local application DoS: if an attacker places the PID of an existing process there (e.g. PID 1), other users cannot start the daemon any more. - local information leak if kernel symlink protection is turned off. The daemon logs the *full* content of the PID file to stdout: [2022-03-21T15:44:28Z DEBUG swhkd] Previous PID: secret - local system DoS if kernel symlink protection is off. The daemon will overwrite the target file with its own PID. This could also create a world-readable file in interesting locations that allow for further attack vectors in other programs. - functional issue: such a setup is not suitable for multiple users using the software in parallel. Suggested Fix: ## 3.a) All PID and socket files should be placed in non-public locations: - The daemon PID file belongs in /run/swhkd/. This directory needs to be root-owned and read-only for others. The PID filename needs to be suffixed with the UID of the user that invoked pkexec. This information is available via the `PKEXEC_UID` environment variable. This way multiple swhkd instances don't interfere with each other.
I have fixed CVE-2022-27815 in the following commit: https://github.com/waycrate/swhkd/commit/3864bb7cd9cec1ffdb303a7bbbf9c9d5ffe0ed1a A review from the security team would help.
I was wondering if this root-readonly directory could reside in /etc/swhkd? I really want to keep my tool init system independent and relying on /run adds the crutch of maintaining service files for runit, openrc, sysvinit, dinit, s6, and suite66 ( only the popular alternate inits to systemd ) along with systemd.
I have decided to go with /etc/swhkd/runtime as the root owned read only directory, please do let me know if this entails any security risks. Updated link: https://github.com/waycrate/swhkd/pull/93/commits/ee3534b401cba71fddf378f7e1cb18ada0e6fa75
The patch looks good so far. Putting state data into /etc is not a security problem but highly irregular, plainly wrong for any UNIX system. /run hasn't much to do with init systems, it is according to the FHS standard.
> /run hasn't much to do with init systems,it is according to the FHS standard. I understand, the only problem is that /run is cleared on reboot and I would need to write a service file to recreate it every single time..hence the /etc choice. I might address this in the future.
By recreate "it" I mean the root owned swhkd directory.
(In reply to aakashsensharma@gmail.com from comment #6) > By recreate "it" I mean the root owned swhkd directory. I don't really see the problem, the swhkd has root privileges and can create the directory on the fly, if necessary. Otherwise you could place the files flat (i.e. directly into /run), which would clutter the directory, however.
Hm yes I don't know why I didn't think of that initially. I will do that in the upcoming release just to not push too many breaking changes at once since some users are already on the /etc/runtime patch.
I'm considering this finding fixed and will close the bug accordingly. You should still take care of using a proper directory location for the PID file.