Security Releases: Omnibus 2.0.2 and 3.2.2 (insecure file ownership in Omnibus-built Debian and Ubuntu packages)

Ohai everyone,

We have released Omnibus 2.0.2 and Omnibus 3.2.2 to address an issue in which the contents of Omnibus-built Debian and Ubuntu packages are being installed with an arbitrary non-root UID and GID. This issue would allow a user with that UID and GID to replace the contents of the installed files and have them be executed by root. All Omnibus 2 and Omnibus 3 projects building for Debian or Ubuntu should be upgraded.

Omnibus 4, which is available as a prerelease version, is not affected.

We have released related updates to our existing software packages built with Omnibus. See Affected Products for further details.

Description

Prior to this release, Omnibus 2 and Omnibus 3 defaults did not specify a target package user or group for Debian packages. The files bundled into the resulting .deb package kept the UID/GID of the executing process.

Installing one of these Omnibus-built Debian-style (.deb) packages creates files in the installation directory that are owned by user-space UIDs, such as UID/GID 999 or UID/GID 1001, instead of UID/GID 0 (root). An unprivileged user on the install system with the same UID/GID would be able to change file contents to execute arbitrary commands as the user running an application thus installed.

Omnibus packages in which a target package user or group has been specified with `package_user` or `package_group` are not affected.  RPM packages are not affected as their target package user and group have always defaulted to UID/GID 0.

Affected Versions

  • (supported) All versions of Omnibus 2 and Omnibus 3.
  • (deprecated) All versions of Omnibus 1 since 1.1.0.

Build Platforms

  • Ubuntu Linux
  • Debian Linux

Remediation

  • Option 1: In the main directory of your Omnibus project, run `bundle update omnibus` to update your installation of the Omnibus gem and its dependencies. If you do not wish to update a dependency of Omnibus, you may need to adjust the version of that dependency set in your Gemfile and/or Gemfile.lock. You will also need to set file ownership in a post-install script in order to fix package upgrades to an existing installation, e.g. `chown -Rh 0:0 $INSTALLER_DIR`
  • Option 2: Set `package_user` and `package_group` appropriately in the configuration file for your Omnibus project. You will also need to set file ownership in a post-install script in order to fix package upgrades to an existing installation, e.g. `chown -Rh 0:0 $INSTALLER_DIR`

Affected Products

Author Nathen Harvey

As the VP of Community Development at Chef, Nathen helps the community whip up an awesome ecosystem built around the Chef framework. Nathen also spends much of his time helping people learn about the practices, processes, and technologies that support DevOps, Continuous Delivery, and Web-scale IT. Prior to joining Chef, Nathen spent a number of years managing operations and infrastructure for a number of web applications. Nathen is a co-host of the Food Fight Show, a podcast about Chef and DevOps.