We have released Omnibus 2.0.2 and Omnibus 3.2.2 to address an issue in which the contents of Omnibus-built Debian and Ubuntu packages are being installed with an arbitrary non-root UID and GID. This issue would allow a user with that UID and GID to replace the contents of the installed files and have them be executed by root. All Omnibus 2 and Omnibus 3 projects building for Debian or Ubuntu should be upgraded.
Omnibus 4, which is available as a prerelease version, is not affected.
We have released related updates to our existing software packages built with Omnibus. See Affected Products for further details.
Prior to this release, Omnibus 2 and Omnibus 3 defaults did not specify a target package user or group for Debian packages. The files bundled into the resulting .deb package kept the UID/GID of the executing process.
Installing one of these Omnibus-built Debian-style (.deb) packages creates files in the installation directory that are owned by user-space UIDs, such as UID/GID 999 or UID/GID 1001, instead of UID/GID 0 (root). An unprivileged user on the install system with the same UID/GID would be able to change file contents to execute arbitrary commands as the user running an application thus installed.
Omnibus packages in which a target package user or group has been specified with `package_user` or `package_group` are not affected. RPM packages are not affected as their target package user and group have always defaulted to UID/GID 0.
- (supported) All versions of Omnibus 2 and Omnibus 3.
- (deprecated) All versions of Omnibus 1 since 1.1.0.
- Ubuntu Linux
- Debian Linux
- Option 1: In the main directory of your Omnibus project, run `bundle update omnibus` to update your installation of the Omnibus gem and its dependencies. If you do not wish to update a dependency of Omnibus, you may need to adjust the version of that dependency set in your Gemfile and/or Gemfile.lock. You will also need to set file ownership in a post-install script in order to fix package upgrades to an existing installation, e.g. `chown -Rh 0:0 $INSTALLER_DIR`
- Option 2: Set `package_user` and `package_group` appropriately in the configuration file for your Omnibus project. You will also need to set file ownership in a post-install script in order to fix package upgrades to an existing installation, e.g. `chown -Rh 0:0 $INSTALLER_DIR`