[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cp, ln, mv, install: check for vulnerable target directories
From: |
Paul Eggert |
Subject: |
Re: cp, ln, mv, install: check for vulnerable target directories |
Date: |
Wed, 20 Sep 2017 18:59:19 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 |
Kaz Kylheku (Coreutils) wrote:
Instead of checking for what *could* go wrong, why not defend more
specifically against signs that the attack might be actually happening.
That's what the patch is trying to do, though it looks like it should be
improved.
Somehow detect, "Uh oh! Parent is writable by another non-root user, and
the last component opened through a symlink!"
We can't do that check atomically, unfortunately. However, there are
approximations that should be good enough. I will think through this more
carefully. In the end, though, there will be no way to avoid all false positives
and all false negatives: we will need to err one way or the other, probably
both. The goal will be an engineering one: have so few false negatives that
attackers give up and do other things, and have so few false positives that
their cost is outweighed by the benefit of the true positives.
it occurs to me that the attack can be perpetrated if any of the
ancestral directories are writable to another non-root user.
Yes, and that's a problem that I am not trying to address. The Linux
/proc/sys/fs/protected_symlinks approach doesn't try to address it either. It'd
be too much hassle for Coreutils to address it, for too little benefit. The only
problem I am trying to address is foiling attempts to create children of
vulnerable directories, because these are where the bulk of the real-world
vulnerabilities are. The Linux kernel is the same way.
I am thinking of reverting my patch (at Pádraig's gentle suggestion) and coming
up with a better one in the light of recent comments. Perhaps it'll be two
patches, since we have two kinds of attacks here and that's causing some of the
confusion.
- cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/19
- Re: cp, ln, mv, install: check for vulnerable target directories, Pádraig Brady, 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Bernhard Voelker, 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories,
Paul Eggert <=
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/25
Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/20
- Prev by Date:
Re: cp, ln, mv, install: check for vulnerable target directories
- Next by Date:
Re: cp, ln, mv, install: check for vulnerable target directories
- Previous by thread:
Re: cp, ln, mv, install: check for vulnerable target directories
- Next by thread:
Re: cp, ln, mv, install: check for vulnerable target directories
- Index(es):