Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#997977: /lib/systemd/system/monopd.service:8: Special user nobody configured, this is not safe!
172 views
Skip to first unread message
Jason L. Quinn
Oct 28, 2021, 2:30:03 AM10/28/21
to
Package: monopd
Version: 0.10.2-4
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: jason.lee.q...@gmail.com, Debian Security Team <te...@security.debian.org>
Dear Maintainer,
Recently upgraded from Buster to Bullseye. I'm not perusing
"journalctl --boot" looking for errors and warnings and submitting
bug reports as I tend to do after a Debian upgrade. One of the curious
lines in my journal logs was
/lib/systemd/system/monopd.service:8: Special user nobody configured, this is
not safe!
This does indeed appear to be a valid systemd warning. See commit at
https://github.com/systemd/systemd/commit/bed0b7dfc0070e920d00c89d9a4fd4db8d974cf0
Marked as grave as per bug descriptions in the reportbug tool (introduces a
security hole).
Cheers,
Jason
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages monopd depends on:
ii libc6 2.31-13+deb11u2
ii libgcc-s1 10.2.1-6
ii libmuparser2v5 2.2.6.1+dfsg-1
ii libstdc++6 10.2.1-6
ii libsystemd0 247.3-6
ii lsb-base 11.1.0
monopd recommends no packages.
Versions of packages monopd suggests:
ii gtkatlantic 0.6.3-1
Version: 0.10.2-4
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: jason.lee.q...@gmail.com, Debian Security Team <te...@security.debian.org>
Dear Maintainer,
Recently upgraded from Buster to Bullseye. I'm not perusing
"journalctl --boot" looking for errors and warnings and submitting
bug reports as I tend to do after a Debian upgrade. One of the curious
lines in my journal logs was
/lib/systemd/system/monopd.service:8: Special user nobody configured, this is
not safe!
This does indeed appear to be a valid systemd warning. See commit at
https://github.com/systemd/systemd/commit/bed0b7dfc0070e920d00c89d9a4fd4db8d974cf0
Marked as grave as per bug descriptions in the reportbug tool (introduces a
security hole).
Cheers,
Jason
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages monopd depends on:
ii libc6 2.31-13+deb11u2
ii libgcc-s1 10.2.1-6
ii libmuparser2v5 2.2.6.1+dfsg-1
ii libstdc++6 10.2.1-6
ii libsystemd0 247.3-6
ii lsb-base 11.1.0
monopd recommends no packages.
Versions of packages monopd suggests:
ii gtkatlantic 0.6.3-1
Markus Koschany
Oct 28, 2021, 6:10:04 AM10/28/21
to
Am Donnerstag, dem 28.10.2021 um 14:24 +0800 schrieb Jason L. Quinn:
> Package: monopd
> Version: 0.10.2-4
> Severity: grave
> Tags: security
> Justification: user security hole
> X-Debbugs-Cc: jason.lee.q...@gmail.com, Debian Security Team
> <te...@security.debian.org>
>
> Dear Maintainer,
>
> Recently upgraded from Buster to Bullseye. I'm not perusing
> "journalctl --boot" looking for errors and warnings and submitting
> bug reports as I tend to do after a Debian upgrade. One of the curious
> lines in my journal logs was
>
> /lib/systemd/system/monopd.service:8: Special user nobody configured, this is
> not safe!
>
> This does indeed appear to be a valid systemd warning. See commit at
>
> https://github.com/systemd/systemd/commit/bed0b7dfc0070e920d00c89d9a4fd4db8d974cf0
>
> Marked as grave as per bug descriptions in the reportbug tool (introduces a
> security hole).
I don't think this constitutes a grave security issue alone just because the
> Package: monopd
> Version: 0.10.2-4
> Severity: grave
> Tags: security
> Justification: user security hole
> X-Debbugs-Cc: jason.lee.q...@gmail.com, Debian Security Team
> <te...@security.debian.org>
>
> Dear Maintainer,
>
> Recently upgraded from Buster to Bullseye. I'm not perusing
> "journalctl --boot" looking for errors and warnings and submitting
> bug reports as I tend to do after a Debian upgrade. One of the curious
> lines in my journal logs was
>
> /lib/systemd/system/monopd.service:8: Special user nobody configured, this is
> not safe!
>
> This does indeed appear to be a valid systemd warning. See commit at
>
> https://github.com/systemd/systemd/commit/bed0b7dfc0070e920d00c89d9a4fd4db8d974cf0
>
> Marked as grave as per bug descriptions in the reportbug tool (introduces a
> security hole).
server starts with owner nobody permissions which has been the case for the
past 18 years by the way. You need some kind of exploit and services/files of
the same owner to manipulate which is unlikely given that possibly only two
people in the world including myself run a monopoly server in a "production"
environment.
I agree that we can use systemd's DynamicUser feature in this case and tighten
the permissions because it implies ProtectSystem=strict and PrivateTmp=yes. I
need to figure out if we need more permissions but probably not.
Regards,
Markus
0 new messages