Hi all,
A small, but important, set of files was incorrectly given group write
permission on Fedora CoreOS systems for a few releases. In addition,
Ignition configs written by coreos-installer before 0.10.0 were made
world-readable, potentially exposing secrets to unprivileged users on the
host. Both problems were corrected automatically when affected systems were
upgraded to newer releases.
Group-writable files
--------------------
The following (potentially non-exhaustive) list of files were inadvertently
made writable by the `root` group:
/etc/crypto-policies/state/current
/etc/group
/etc/group-
/etc/iscsi/initiatorname.iscsi
/etc/passwd
/etc/passwd-
/etc/selinux/config
/etc/ssh/sshd_config.d/40-disable-passwords.conf
/etc/systemd/dont-synthesize-nobody
This is only an issue if unprivileged users or rootful containers had access
to the `root` group (i.e. having processes running under an unprivileged
UID but with the `root` group) as they could have potentially altered those
files and thus escalated privileges.
New installations starting from version 34.20210611.3.0 (stable),
34.20210611.2.0 (testing), 34.20210611.1.0 (next) and later are unaffected.
All existing systems that have updated to an unaffected version have
automatically fixed the affected permissions and no action is required.
You can verify that no other file or directory has those permission bits set
with the following command:
sudo find /etc -type f,d -perm /022
This issue is tracked in fedora-coreos-tracker #829 [1].
World-readable Ignition configs (CVE-2021-3917)
-----------------------------------------------
On systems installed with coreos-installer before 0.10.0,
/boot/ignition/config.ign was made world-readable, giving unprivileged
users access to any secrets included in that file. Instances launched from
a cloud image, and systems provisioned with the ignition.config.url kernel
argument, do not use that file and are unaffected.
coreos-installer 0.10.0 and later writes the Ignition config with
restrictive permissions. In addition, on Fedora CoreOS systems installed
from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing),
34.20210711.1.1 (next) and later, the /boot/ignition directory and its
contents are removed after provisioning is complete. All existing systems
that have updated to an unaffected version have automatically removed the
/boot/ignition directory and no action is required.
This issue is tracked in fedora-coreos-tracker #889 [2].
Best,
--Timothée Ravier and Benjamin Gilbert
[1]: https://github.com/coreos/fedora-coreos-tracker/issues/829
[2]: https://github.com/coreos/fedora-coreos-tracker/issues/889