Bug 24977 - mtr: mtr should not run suid
Summary: mtr: mtr should not run suid
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-06-20 09:17 CEST by Rob Lemley
Modified: 2019-07-10 12:45 CEST (History)
5 users (show)

See Also:
Source RPM: mtr-0.92-2.mga7.src.rpm
CVE:
Status comment:

Attachments
mtr_suid_fix.patch (912 bytes, patch)
2019-06-20 09:30 CEST, Rob Lemley 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Rob Lemley 2019-06-20 09:17:06 CEST 
Description of problem:
mtr is not running because it is installed suid

Version-Release number of selected component (if applicable):
mtr-0.92-2.mga7

How reproducible:
Always

Steps to Reproduce:
1. Install mtr package
2. Run mtr with a user account:
  $ mtr 4.2.2.2
3. Error is displayed:
  mtr: mtr should not run suid
4. Verify permissions:
  $ ls -l /usr/sbin/mtr
  -rwsr-xr-x 1 root ntools 72552 Sep 28  2018 /sbin/mtr*

Workaround:
Per this macports bug, https://trac.macports.org/ticket/54977, only mtr-packet needs to be suid. Changing the permissions on /usr/sbin/mtr to 0755 fixes the problem. /usr/sbin/mtr-packet is set suid by the RPM already.
Comment 1 Rob Lemley 2019-06-20 09:30:15 CEST 
Created attachment 11117 [details]
mtr_suid_fix.patch

Updated SPEC file for mtr. Both /usr/bin/mtr and /usr/bin/xmtr exhibited the issue. The symlink permissions don't apply, but adjusted those as well.
Comment 2 Lewis Smith 2019-06-23 10:36:57 CEST 
Jani, I have assigned this (no maintainer) to you because it seems you dealt with it previously. Apologies if this is not appropriate; you will know where to pass it on.

CC: (none) => lewyssmith
Assignee: bugsquad => jani.valimaa

Comment 3 Jani Välimaa 2019-06-23 18:41:04 CEST 
Fixed in SVN for cauldron, but we need to wait until mga7 is branched and cauldron reopens.

I dropped all setuid bits and used capabilities (cap_net_raw+ep) for mtr-packet instead.

Whiteboard: (none) => MGA7TOO

Comment 4 Jani Välimaa 2019-06-29 16:30:42 CEST 
mtr-0.92-2.1.mga7 is landing to core/updates_testing for mga7. Please test.

Assignee: jani.valimaa => qa-bugs
CC: (none) => jani.valimaa

Lewis Smith 2019-06-30 20:29:31 CEST

CC: lewyssmith => (none)

Comment 5 Herman Viaene 2019-07-01 12:02:09 CEST 
MGA7-32 MATE on IBM Thinkpad R50e
No installation issues.
At CLI as normal user:
$ mtr -h

Usage:
 mtr [options] hostname

So tried 
$ mtr <remote hostname>
mtr: Failure to start mtr-packet: Invalid argument
$ mtr <remoteIPadress>
mtr: Failure to start mtr-packet: Invalid argument
$ mtr <ownIPaddress>
mtr: Failure to start mtr-packet: Invalid argument

Not sure this is intended behavior. Leaving for others to judge.

CC: (none) => herman.viaene

Comment 6 Len Lawrence 2019-07-01 22:44:31 CEST 
mga7, x86_64
$ mtr --version
mtr: mtr should not run suid
$ rpm -qa | grep mtr
mtr-0.92-2.mga7
$ ll /usr/sbin/mtr
-rwsr-xr-x 1 root ntools 72552 Sep 28  2018 /usr/sbin/mtr*

After update:

$ mtr --version
mtr 0.91.1-4c982
$ rpm -qa | grep mtr
mtr-0.92-2.1.mga7
$ ll /usr/sbin/mtr
-rwxr-xr-x 1 root ntools 72552 Jun 29 15:33 /usr/sbin/mtr*
$ mtr google.com
mtr: Failure to start mtr-packet: Invalid argument
$ sudo mtr google.com
                        My traceroute  [v0.91.1-4c982]
canopus (192.168.x.x)                                 2019-07-01T21:42:17+0100
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                       Packets               Pings
 Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. Arcturus                          0.0%    10    0.3   0.3   0.3   0.3   0.0
 2. 10.234.224.1                      0.0%    10    8.1   9.8   7.1  14.7   2.2
 3. sgyl-core-2a-xe-332-0.network.vi  0.0%    10    8.7  10.0   8.1  17.0   2.7
 4. ???
 5. tele-ic-8-ae5-0.network.virginme  0.0%    10   18.0  18.6  17.6  19.2   0.6
 6. 126-14-250-212.static.virginm.ne  0.0%    10   17.6  20.6  16.7  26.5   3.7
 7. 74.125.242.65                     0.0%     9   22.8  20.4  19.3  22.8   1.2
 8. 172.253.68.217                    0.0%     9   27.3  23.1  19.8  29.3   3.7
 9

Looks OK.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2019-07-01 22:46:03 CEST 
@Herman referring to comment 5: your test looks good.  What you saw seems to be the intended behaviour.
Len Lawrence 2019-07-01 22:47:18 CEST

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Thomas Backlund 2019-07-02 11:41:29 CEST

CC: (none) => tmb
Whiteboard: MGA7TOO MGA7-64-OK => MGA7-64-OK
Version: Cauldron => 7

Comment 8 Jani Välimaa 2019-07-02 15:21:46 CEST 
I think we should have all binaries either in /usr/bin or /usr/sbin, but not in mixed locations.

Makefile installs all binaries to /usr/sbin and we install a symlink for mtr to /usr/bin. Normally /usr/sbin isn't in $PATH and if mtr-packet isn't found from $PATH, the following is output (like we saw in comment 5):
mtr: Failure to start mtr-packet: Invalid argument

I would move all binaries to /usr/bin as I can't see why a normal user shouldn't have access to this tool.
Comment 9 Jani Välimaa 2019-07-02 15:51:58 CEST 
(In reply to Jani Välimaa from comment #8)
> 
> I would move all binaries to /usr/bin as I can't see why a normal user
> shouldn't have access to this tool.

Pushed mtr-0.92-2.2.mga7 to core/updates_testing. Please test.

Whiteboard: MGA7-64-OK => (none)

Comment 10 Len Lawrence 2019-07-04 19:54:43 CEST 
$ rpm -qa | grep mtr
mtr-0.92-2.1.mga7
$ mtr --version
mtr 0.91.1-4c982
$ mtr google.com
mtr: Failure to start mtr-packet: Invalid argument
$ sudo mtr google.com
<Runs OK>

Updated the package from mga7 updates testing.
Ran the update using MageiaUpdate.
...
installing mtr-0.92-2.2.mga7.x86_64

$ mtr --version
mtr 0.91.1-4c982
$ mtr google.com
My traceroute  [v0.91.1-4c982]
canopus (192.168.x.x)                                 2019-07-04T18:51:18+0100
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                       Packets               Pings
 Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. Arcturus                          0.0%     8    0.3   0.3   0.3   0.4   0.0
[...]

mtr can be run by an ordinary user.

Whiteboard: (none) => MGA7-64-OK

Comment 11 Rémi Verschelde 2019-07-10 11:49:13 CEST 
Advisory uploaded, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2019-07-10 12:45:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2019-0050.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.