jason1122g
commented
3 years ago it seems that the conf/privilege is owned by package user so that packages can change the content by their own
Open BeatSkip opened 3 years ago
jason1122g
commented
3 years ago it seems that the conf/privilege is owned by package user so that packages can change the content by their own
BeatSkip
commented
3 years ago @jason1122g yes indeed. But the funny thing is that you can run as root by editing a file that's owned by the package. Seems like that doesn't follow proper security procedures.
BeatSkip
commented
3 years ago Simply fixed by changing the owner, but still then, the underlying procedure of just reading "root" from a file provided by the package and subsequently running as root doesn't seem correct to me and fully exploitable. But I'm just a mechanical engineer, and far from an expert
publicarray
commented
3 years ago @BeatSkip Good find! I would email bounty@synology.com about it, yes I would class that as a vulnerability. Not sure if their program applies to pre-release software though. And bearing in mind that in DSM6 allowed all packages that asked for root, execute as root. I don't think it's a huge issue at present but it's hilarious nonetheless and should be fixed (as It's clearly their intent to not allow root access anymore).
Let me know if you emailed them otherwise I'll happily notify them and point Synology to this very GitHub issue.
BeatSkip
commented
3 years ago I'll email them today 👍
BeatSkip
commented
3 years ago @publicarray you are right, it's not a big issue as this is pre-release. But it's a real funny oversight in the design of this privilege system. As it's undermined in the exact way it's supposed to protect the rights. I e-mailled them about it and will await the response. A bounty reward would be awesome though haha. But as I disclosed it publicly before contacting the bounty program I'm not sure, but again, as it's preview I didn't see it as 'irresponsible' to publicly disclose and just wanted to get attention towards it to get it fixed.
publicarray
commented
3 years ago Thanks @BeatSkip I agree. Yea I doubt you get a reward. Feel free to update us on their response though. Who knows it might be a feature.
publicarray
commented
3 years ago @BeatSkip Do you have any news?
publicarray
commented
3 years ago @SynologyOpenSource @BeatSkip What does it take to get an update around here? This is way past any 60 day disclosure policy. And is a publicly known bug.
BeatSkip
commented
3 years ago @SynologyOpenSource @BeatSkip What does it take to get an update around here? This is way past any 60 day disclosure policy. And is a publicly known bug.
Well, there is no update. They are fixing it. Done
In getting my RTL8156 driver working on DSM 7.0, I discovered that you can pretty easily bypass the new 'privilege security feature' by just rewriting the privilege file in your postinst script. I verified that after rewriting the privilege file with literally 1 line of code, the entire package actually runs as root.
Tried posting on the synology beta forum but to no avail, so it might be good/handy to point out here as a useful tip in porting your package temporarily and ultimately get it fixed in the final version of dsm 7.0. Full details are available here: https://github.com/bb-qq/r8152/issues/88