Ubuntu
openssh package

User with restricted rights is able to shutdown machine while ssh superuser is connected

Bug #441669 reported by stop
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Triaged
Low
Unassigned

Bug Description

I was updating an xubuntu 32bit karmic machine with a ubuntu 64bit karmic machine via ssh and elevated privileges (sudo bash).
A user with a restricted account was able to shut down the xubuntu machine while this ssh session was running. This was not the case in jaunty, the xubuntu machine reported dpkg interruption after I restarted it.
This problem is reproducible most of the time, but it happened once that the xubuntu machine asked for a password before shutting down. Even if the right password was given it wouldn't shut down (which isn't much of a problem because it should never shut down when a superuser is logged in (in my opinion)). But once the superuser had logged out the machine still wouldn't shut down (which is a problem again)...

I am not sure which package is to blame here, so I opted for ssh (but it could also be something to do with user-privileges or shutdown-procedures etc.).
I also wasn't sure if this was a security issue. It's not an exploit or something but it could get quite ugly if stuff like this can happen.

ProblemType: Bug
Architecture: amd64
Date: Sat Oct 3 21:23:23 2009
DistroRelease: Ubuntu 9.10
NonfreeKernelModules: vmnet vmci vmmon nvidia
Package: ssh (not installed)
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-11.38-generic
SourcePackage: openssh
Uname: Linux 2.6.31-11-generic x86_64

Revision history for this message
stop (whoopwhoop) wrote :
Revision history for this message
stop (whoopwhoop) wrote :

As an extra note I didn't ssh with superuser but I ran "sudo bash" inside the ssh session and started upgrading when this happened the first time. Later on I tried with starting a program (like "sudo vi") and just plain "sudo bash" and it happened 3 times again (normal user could shut down the machine), and once I got a password request on the xubuntu machine (and it wouldn't shut down at all even if ssh was disconnected).

Jamie Strandboge (jdstrand)
security vulnerability: yes → no
visibility: private → public
Revision history for this message
Chuck Short (zulcss) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please answer these questions:
1. Is this reproducible?
2. If so, what specific steps should we take to recreate this bug? Be as detailed as possible.
This will help us to find and resolve the problem.

Changed in openssh (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
stop (whoopwhoop) wrote :

1. Yes
2. I can reproduce it via the following steps:
*Boot xubuntu Karmic 32 bit (with openssh service running) login with an account with restricted rights (no sudo etc.).
*Boot another machine (in my case Ubuntu karmic 64bit). Use this machine to connect with xubuntu machine via ssh. Enter sudo bash within the ssh session to create elevated privileges on the remote (xubuntu) machine.
*Shut down the xubuntu machine via the menu (GUI desktop) with the restricted account.

The following two things happen on my end:
1The machine shuts down, obviously stopping the ssh connection and kicking the user with elevated privileges out. (this was not the case in previous versions and is hazardous, what if the ssh connection is doing important stuff etc.)
2The machine does not shut down but displays a GUI password dialog, and the restricted account is not able to shut down even if the user with elevated privileges disconnects. (So now all of a sudden you need to login as a unrestricted user to be able to shutdown the machine).

stop (whoopwhoop)
Changed in openssh (Ubuntu):
status: Incomplete → New
Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 441669] Re: User with restricted rights is able to shutdown machine while ssh superuser is connected

On Wed, Oct 14, 2009 at 02:54:36PM -0000, whoop wrote:
> 1The machine shuts down, obviously stopping the ssh connection and kicking the user with elevated privileges out. (this was not the case in previous versions and is hazardous, what if the ssh connection is doing important stuff etc.)

Could you confirm which previous version had a different behavior? What
was happening then?

  status incomplete

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Mathias Gug (mathiaz)
Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
stop (whoopwhoop) wrote :

I don't know what exact version. With previous version I mean Jaunty (and Intrepid, and hardy, and gutsy).
The behaviour was different:
If the restricted user tried to shutdown (the local machine) while a remote user(with elevated privileges) was logged in, the restricted user would get a dialog staing the system could not be shut down because an elevated user was using the machine. Once the elevated user was logged out the restricted user could shut down the machine...

Changed in openssh (Ubuntu):
status: Incomplete → New
Revision history for this message
Charlie Kravetz (charlie-tca) wrote :

Thank you for this report and the additional information supplied. Is this still an issue with the final release of Xubuntu 9.10?

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
stop (whoopwhoop) wrote :

Yes it is...

Changed in openssh (Ubuntu):
status: Incomplete → New
Revision history for this message
Charlie Kravetz (charlie-tca) wrote :

Thanks for the fast reply. Based on the above information and attachments, I am confirming this bug. There should be enough information for the developers to begin work to resolve this issue. Thanks for helping improve Xubuntu.

Changed in openssh (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.