BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-24:17.pam_xdg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-24:17.pam_xdg                                        Errata Notice
                                                          The FreeBSD Project

Topic:          XDG runtime directory's file descriptor leak at login

Category:       core
Module:         pam_xdg
Announced:      2024-10-29
Credits:        Olivier Certner
Affects:        FreeBSD 14.1
Corrected:      2024-09-03 13:28:58 UTC (stable/14, 14.1-STABLE)
                2024-10-29 18:57:01 UTC (releng/14.1, 14.1-RELEASE-p6)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

pam_xdg(8) is a PAM module which sets up directories and environment
variables per the XDG Base Directory Specification[1].  In particular, it
creates a per-user directory to contain non-essential runtime files and sets
the environment variable XDG_RUNTIME_DIR to point to it.

II.  Problem Description

As a user logs in, if the per user XDG_RUNTIME_DIR directory already exists,
a file descriptor to that directory is leaked in the calling process.

III. Impact

This leaked directory file descriptor is inherited by all descendant processes
that do not explicitly close it.  In particular, it prevents an administrator
from using jexec(8) or launching a new jail via jail(8), as both commands use
the jail_attach(2) system call which fails with EPERM if the calling process has
an open directory in its file descriptor table, as a security measure to prevent
jail escape.

This file descriptor leak is normally harmless from a security standpoint as the
XDG_RUNTIME_DIR directory's content is usually readable and modifiable only by
its owner and its group.

IV.  Workaround

Shell primitives can close the leaking file descriptor before running
jexec(8) or jail(8).  For sh-like shells, use 'exec X>&-', where X is the
number of the leaked file descriptor obtained with 'fstat -p $$'

Alternatively, use a login program or shell that closes all inherited file
descriptors for root such as sudo(8) or csh(1).

Lastly, on machines not running a Freedesktop-based GUI desktop or some
that can set XDG_RUNTIME_DIR by itself (e.g., KDE), disable pam_xdg(8)
completely by commenting the corresponding lines in '/etc/pam.d/system' and
'/etc/pam.d/xdm'.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security branch
(releng) dated after the correction date.  A reboot is advised following the
upgrade, or a logout/re-login of your jail working sessions if practical.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

A reboot is advised following the upgrade, or a logout/re-login of your jail
working sessions if practical.

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-24:17/pam_xdg.patch
# fetch https://security.FreeBSD.org/patches/EN-24:17/pam_xdg.patch.asc
# gpg --verify pam_xdg.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

A reboot is advised following the upgrade, or a logout/re-login of your jail
working sessions if practical.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              9e8d504bb5a1    stable/14-n268630
releng/14.1/                            accf8cee6dd0  releng/14.1-n267726
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

[1] <URL:https://specifications.freedesktop.org/basedir-spec/latest/>
[2] <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id(1751>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:17.pam_xdg.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCMACgkQbljekB8A
Gu8//xAAtTW3AJdvvbA58EUdBkz1mb60dhJ0DCBRiE+4kTApym8+PNvzRAib4i5R
RiZGx/axXvUmP1qVKCgpYjaf3D/vrbBEk4bqrCcgZlPVEWbSm1jrLzFjZNr7vYUn
AxCaF4RpzkAAku6qV8BuQal2cVpCRt0Ad5CkFArdp8KqeVyZIIf3yM2UQn4nzrxf
ycZF1GWzvh/izIK2zmaxFVNzYToz4l6qj0Y5t0Mi4OhSq3J63gHv4UhH+/Fn0mnT
fkd90lCrAQIgu6BZbg9FBJn76y7itSuyIu2MeZdklXnnqTBgFWh+7Wd+79Fq7iHT
dAuQo4znIJAw5Z5J4rAAm8aqP4joozJoI3xJhP8U4qpj5FYOEn/yJiZmnETUwyh5
AcNuiRrjJKieskmr0yruGbwVS+dtkNWQcVSgfUWVL77vv/t9ui7c8Ezjkn5amicP
17m4NmO+HYW/X5ST7FqBx7nrT8c5wMzsiHCtCEpz53oeWUvnPLGz9TKCXUTAbMUU
IG99B+1pvA4IFOjZ1xO2xKowueekqQLOTavby/tV0aatgkAFlWZKXIDYMV/XEVdL
/eHij8kT2hoooQdhxuj8jvpKKFIcPqiLF5RTDkhNyXOKZvXSXiC2bgAWLa+pQi8/
PpKIeWH29fJpQ2hF/b+fKzF7NjYgCs1ZzGrLWC+ziMnthNzzR9s=yn4N
-----END PGP SIGNATURE-----