From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <mgerstner@suse.de>
Date: Fri, 14 Aug 2020 22:14:36 -0700
Subject: [PATCH] Correct multiple security issues that are present if the tcsd
 is started by root instead of the tss user.

Patch fixes the following 3 CVEs:

CVE-2020-24332
If the tcsd daemon is started with root privileges,
the creation of the system.data file is prone to symlink attacks

CVE-2020-24330
If the tcsd daemon is started with root privileges,
it fails to drop the root gid after it is no longer needed

CVE-2020-24331
If the tcsd daemon is started with root privileges,
the tss user has read and write access to the /etc/tcsd.conf file

Authored-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>

Upstream-Status: Backport
CVE: CVE-2020-24332
CVE: CVE-2020-24330
CVE: CVE-2020-24331

Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 src/tcs/ps/tcsps.c   |  2 +-
 src/tcsd/svrside.c   |  1 +
 src/tcsd/tcsd_conf.c | 10 +++++-----
 3 files changed, 7 insertions(+), 6 deletions(-)

Index: git/src/tcs/ps/tcsps.c
===================================================================
--- git.orig/src/tcs/ps/tcsps.c
+++ git/src/tcs/ps/tcsps.c
@@ -72,7 +72,7 @@ get_file()
 	}
 
 	/* open and lock the file */
-	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
+	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
 	if (system_ps_fd < 0) {
 		LogError("system PS: open() of %s failed: %s",
 				tcsd_options.system_ps_file, strerror(errno));
Index: git/src/tcsd/svrside.c
===================================================================
--- git.orig/src/tcsd/svrside.c
+++ git/src/tcsd/svrside.c
@@ -473,6 +473,7 @@ main(int argc, char **argv)
 		}
 		return TCSERR(TSS_E_INTERNAL_ERROR);
 	}
+	setgid(pwd->pw_gid);
 	setuid(pwd->pw_uid);
 #endif
 #endif
Index: git/src/tcsd/tcsd_conf.c
===================================================================
--- git.orig/src/tcsd/tcsd_conf.c
+++ git/src/tcsd/tcsd_conf.c
@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
 #ifndef SOLARIS
 	struct group *grp;
 	struct passwd *pw;
-	mode_t mode = (S_IRUSR|S_IWUSR);
+	mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
 #endif /* SOLARIS */
 	TSS_RESULT result;
 
@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
 	}
 
 	/* make sure user/group TSS owns the conf file */
-	if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
+	if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
 		LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
-				TSS_USER_NAME, TSS_GROUP_NAME);
+				"root", TSS_GROUP_NAME);
 		return TCSERR(TSS_E_INTERNAL_ERROR);
 	}
 
-	/* make sure only the tss user can manipulate the config file */
+	/* make sure only the tss user can read (but not manipulate) the config file */
 	if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
-		LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
+		LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
 		return TCSERR(TSS_E_INTERNAL_ERROR);
 	}
 #endif /* SOLARIS */