[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cp, ln, mv, install: check for vulnerable target directories
|
From: |
Pádraig Brady |
|
Subject: |
Re: cp, ln, mv, install: check for vulnerable target directories |
|
Date: |
Tue, 19 Sep 2017 22:32:47 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 |
On 19/09/17 00:25, Paul Eggert wrote:
> For years cp and friends have been subject to a symlink attack, in that
> seemingly-ordinary commands like 'cp a b' can overwrite arbitrary directories
> that the user has access to, if b's parent directory is world-writable and is
> not sticky and is manipulated by a malicious user. To help ameliorate this
> problem, I've installed the attached patch into coreutils. Although it does
> not
> detect every instance of this problem, the goal is that its heuristic should
> avoid false positives while catching and reporting and refusing to act on
> most
> instances.
>
> As this is not an upward-compatible change, I installed this patch right
> after a
> coreutils release, in the hope that we will have time to shake out any
> problems
> with it (including reverting it entirely :-) before the next release.
>
It would be better to have some discussion about such patches before landing.
I see it discounts sticky dirs, which is a bit surprising since they're
generally the most vulnerable since they're configured to be shared?
I suppose that would disallow copying to /tmp on most systems which
would be a bit drastic, but this is that drastic in the less problematic
case of non sticky world writeable dirs.
Note the sticky dir case is already handled at the Linux kernel level
with /proc/sys/fs/protected_symlinks, as that's the main attack vector.
I feel this is protecting a less problematic case and will probably
break embedded system scripts for example which generally don't
care about permissions but run stuff as non root. BTW this doesn't protect
the case where root is writing to a root owned but a+w dir, so
it seems strange to match the dir owner with the writer.
In the kernel protected_symlinks case the owner match gating is
on the symlink itself which makes sense. I'd be more inclined
to have another kernel value for /proc/sys/fs/protected_symlinks
that also provided the protection to non sticky dirs?
A less invasive change might be to enable this only with -i
which Fedora at least enables by default for the root user.
Also there were many syntax-check failures in this patch.
I've fixed them up in a separate patch
(isolated from yet more syntax-check failures)
so we can revert these in reverse order if needed.
Pádraig
- cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/19
- Re: cp, ln, mv, install: check for vulnerable target directories,
Pádraig Brady <=
- Re: cp, ln, mv, install: check for vulnerable target directories, Bernhard Voelker, 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/25