Debian Bug report logs - #1055580
dlt-daemon: Runs daemon as user nobody with owned files on fsys

version graph

Package: dlt-daemon; Maintainer for dlt-daemon is Aigars Mahinovs <[email protected]>; Source for dlt-daemon is src:dlt-daemon (PTS, buildd, popcon).

Reported by: Guillem Jover <[email protected]>

Date: Wed, 8 Nov 2023 12:15:01 UTC

Severity: serious

Tags: security

Found in version dlt-daemon/2.18.0-1

Fixed in version dlt-daemon/2.18.10-8

Done: Gianfranco Costamagna <[email protected]>

Full log

Message #5 received at [email protected] (full text, mbox, reply):

Received: (at submit) by bugs.debian.org; 8 Nov 2023 12:13:06 +0000
From [email protected] Wed Nov 08 12:13:06 2023
X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
	(2021-04-09) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-12.2 required=4.0 tests=BAYES_00,
	BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
	DKIM_VALID_EF,HAS_PACKAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
	version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 12; hammy, 145; neutral, 51; spammy,
	0. spammytokens: hammytokens:0.000-+--H*M:hadrons, 0.000-+--UD:txt.gz,
	0.000-+--H*MI:hadrons, 0.000-+--guillem, 0.000-+--Guillem
Return-path: <[email protected]>
Received: from mail-lf1-x161.google.com ([2a00:1450:4864:20::161]:57460)
	by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128)
	(Exim 4.94.2)
	(envelope-from <[email protected]>)
	id 1r0hQg-001F7H-FV
	for [email protected]; Wed, 08 Nov 2023 12:13:06 +0000
Received: by mail-lf1-x161.google.com with SMTP id 2adb3069b0e04-5094cb3a036so8693926e87.2
        for <[email protected]>; Wed, 08 Nov 2023 04:13:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sipwise.com; s=google; t=1699445579; x=1700050379; darn=bugs.debian.org;
        h=content-transfer-encoding:content-disposition:mime-version
         :message-id:subject:to:from:date:from:to:cc:subject:date:message-id
         :reply-to;
        bh=vjNYLr7EyhCoIFDMNhQygqFvcFHDdEn2jaNVSkv1fEc=;
        b=DVlwWbUmeOua30HN8KrKNgdGjL6t41gwAX3sE5gM3TxYGB5UGfr1J4KlOtN04jKdwX
         6ugw5/xXka8G4BmCG0g7Xef6JDe7bWBGsDindZsUYyJzeO3hZ/V7Qgqw6hO7c+6nQDyX
         BrgLdfmsxh3urqINKgC7+SpG11MNijAW5cw4GcXwg8ONUAy93XPcyBN6xjXec96Cry+y
         5Z3qgoLWSOjUnHKx1ObS92R6e85nEqCorH09IzPZqsWIx9TCN9vILhXh58U7ivXGoM5n
         qAzPde5acKyLZTi0txd3Wk0FFNFZDjdgJDb9dLkV4lisGbiRkhSDWmKau5CEzJaAAHLk
         WtkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1699445579; x=1700050379;
        h=content-transfer-encoding:content-disposition:mime-version
         :message-id:subject:to:from:date:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=vjNYLr7EyhCoIFDMNhQygqFvcFHDdEn2jaNVSkv1fEc=;
        b=HdtY1xHHfdyMJIt3CK4kxG9eDLL46+RO7zhhbaXRpgq3QacZgq5fz2iM0v2cP2JwWt
         wnFfM0tzeEn3AVFjulBfRyZLblFIT4DZl+70dGqP/9FuOwM2PbtZ4/QQV1l3sZ+voBp6
         ZzQ4a+jlZnSVAWbbm5W9pneC+sx2DlcwGz5k3qhAv3gmEUpr1cPX080hEu0yPdFsOK21
         YnMIaB9hRcSXX4ZcButx97mAdZ+1XN1E32qSFhwH0LyRJWaizoSO76kGXhkxv+W0/Qon
         xZe3CFsBeFfDyqeCBLKquV5UhpanusQLLWFBumxR05tKl4Ek30BY624m1N+MUTP+gERv
         PVyA==
X-Gm-Message-State: AOJu0YxU3mttf/WKr0bBYjGA+pe6Is72AetBA+x8GYSeCYWmIW9jN424
	ODH48aoQZNk2IHdObXHFfEromzqL4ucPELnjS//Rq516MHwvFw0aZgbZDA==
X-Google-Smtp-Source: AGHT+IGdD+b9janCgU/AsclhpzoXE1ov1FUIbJ+3nPkoFrSlCv6EBbATm4taYqF1NNItBMjI9GaXLY6qMPhF
X-Received: by 2002:ac2:4c86:0:b0:507:a701:3206 with SMTP id d6-20020ac24c86000000b00507a7013206mr990641lfl.49.1699445579332;
        Wed, 08 Nov 2023 04:12:59 -0800 (PST)
Received: from mx1.sipwise.com (mx1.sipwise.com. [35.242.212.55])
        by smtp-relay.gmail.com with ESMTPS id k7-20020a0565123d8700b004ff8d5fdb61sm1032758lfv.46.2023.11.08.04.12.59
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 08 Nov 2023 04:12:59 -0800 (PST)
X-Relaying-Domain: sipwise.com
Date: Wed, 8 Nov 2023 13:12:53 +0100
From: Guillem Jover <[email protected]>
To: [email protected]
Subject: dlt-daemon: Runs daemon as user nobody with owned files on fsys
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Delivered-To: [email protected]

Package: dlt-daemon
Version: 2.18.0-1
Severity: serious
Tags: security

Hi!

This daemon runs as user nobody, while creating multiple files on the
filesystem owned by the same user, which are used as part of its
security protection. This is a security issue, given that other
daemons on the system might be running as the same user, and worse
when dlt-daemon is writing and parsing files from hardcoded paths
under /tmp.

From base-passwd/users-and-groups.txt.gz:

  ,---
    nobody, nogroup
          Daemons that need not own any files sometimes run as
          user nobody and group nogroup, although using a
          dedicated user is far preferable. Thus, no files on a
          system should be owned by this user or group.

          (Technically speaking, it does no harm for a file to be
          owned by group nogroup as long as the ownership confers
          no additional privileges, that is if the group and other
          permission bits are equal. However, this is sloppy
          practice and should be avoided.)

          If root-squashing is in use over NFS, root access from
          the client is performed as user nobody on the server.
  `---

If you are going to fix this by using a dedicated user/group, please
make sure to namespace them with «_» to distinguish them as system
users and avoid unnecessary collisions with non-system, users. (Such
as _dlt or similar.)

[ The version I used is the earliest I found with the same issue from
  the tracker.d.o page, earlier version might be affected too, dunno. ]

Thanks,
Guillem

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 17:35:06 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.