authd Privilege Escalation Vulnerability Due to Incorrect Primary Group ID Handling

A local privilege escalation vulnerability has been identified in authd versions prior to 0.6.4. The issue arises from a logic error in how primary group IDs (GIDs) are assigned, particularly for users whose GID does not match their user ID (UID). This mismatch can occur if the user was created with an earlier version of authd or if the GID was manually changed using the authctl command. When such a user's identity provider record is updated, authd incorrectly resets the GID to the UID upon the next login. This error can lead to files and directories being owned by the wrong group, potentially causing denial-of-service issues and allowing unintended access to other local users, thereby facilitating privilege escalation.

Impact

Exploitation of this vulnerability can lead to local privilege escalation by allowing users to gain unauthorized administrative rights. Additionally, it can cause files and directories to be incorrectly owned, disrupting normal operations and access controls.

Reproduction

To reproduce this vulnerability, create a user account with authd version prior to 0.5.4, ensuring that the primary GID is set to a value different from the UID. Alternatively, manually change the GID of a user account using the authctl group set-gid command. After updating the user's identity provider record, the incorrect GID will be reset to the UID upon the next login, causing files created in the user's home directory to be owned by the wrong group.

Remediation

Users can manually reset the GID for affected accounts using the authctl group set-gid command. After correcting the GID, users should log out and back in to ensure the changes are applied. For files owned by the incorrect GID, the ownership can be updated using the chown command. Authd users can also be logged out of their sessions by terminating their active login with the loginctl terminate-user command.