Fixes for CVE-2017-18925 #22
Conversation
Signed-off-by: Sandio Araico Sanchez <[email protected]> Bug #540006 hardened mode for opentmpfiles Ignore some recursive options Refuse to remove root-owned dirs and files Refuse to chmod/chdir/chown user-owned dirs and files Check non-existence before creating a directory Ensure directory has been newly created before chown/chmod/chgrp exit on error
tmpfiles.sh
Outdated
| [ "${CREATE}" -gt 0 ] || return 0 | ||
|
|
||
| relabel "$@" | ||
| echo "Ignoring recursively *" |
There was a problem hiding this comment.
This makes us non-compliant with the spec: https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html.
|
If some administrator has changed the context, it is for a reason. A regular user doesn't have enough permission to change context. Allowing the robot to silently restore the context might have unwanted consequences better dealt manually. An example: Some months later, the system reboots and the robot restores context on |
|
I see no major danger if we skip both _z() and _Z() chunks, porovided the package maintainer has previously defined the correct policies. |
tmpfiles.sh
Outdated
| return 404 | ||
| fi | ||
| FOUND=$(find "${path}" -maxdepth 0 -uid 0 -gid 0) | ||
| if [ -z $FOUND ] ; then |
There was a problem hiding this comment.
afaict, FOUND is only used here, so there's no need to create it at all. this line also lacks quoting.
if [ -z "$(find "${path}" -maxdepth 0 -uid 0 -gid 0)" ] ; then
tmpfiles.sh
Outdated
| @@ -55,6 +69,10 @@ _chattr() { | |||
| *) attr="+${attr}" ;; | |||
| esac | |||
| local IFS= | |||
| if ! owned_by_root $1 ; then | |||
There was a problem hiding this comment.
need to quote "$1"
comes up below too
tmpfiles.sh
Outdated
| if [ -x /sbin/restorecon ]; then | ||
| dryrun_or_real restorecon ${CHOPTS} "${path}" || status="$?" | ||
| if [ $status -ne 0 ]; then |
| if [ -x /sbin/restorecon ]; then | ||
| dryrun_or_real restorecon -F "$(splitpath "${path}")" | ||
| fi | ||
| } | ||
|
|
||
| _chmod() { | ||
| local path=$2 mode=$1 | ||
| if ! owned_by_root "${path}" ; then |
| @@ -253,7 +401,12 @@ _D() { | |||
| local path=$1 mode=$2 uid=$3 gid=$4 | |||
|
|
|||
| if [ -d "${path}" ] && [ "${REMOVE}" -gt 0 ]; then | |||
| dryrun_or_real find "${path}" -mindepth 1 -maxdepth 1 -xdev -exec rm -rf {} + | |||
| if owned_by_root "${path}" ; then | |||
| echo "Cowardly refusing to remove directory" >&2 | |||
There was a problem hiding this comment.
doesn't this defeat the purpose of using tmpfiles.d ? the entries are supposed to get arbitrary filesystem state back into a known good state. by bailing out here (and elsewhere), the project is only good to create files when they don't yet exist.
There was a problem hiding this comment.
The coward refusal happens only when the owner is root.
Removing root-owned directories implies a potential security risk.
user-owned directories are allowed to be removed.
| @@ -253,7 +401,12 @@ _D() { | |||
| local path=$1 mode=$2 uid=$3 gid=$4 | |||
|
|
|||
| if [ -d "${path}" ] && [ "${REMOVE}" -gt 0 ]; then | |||
| dryrun_or_real find "${path}" -mindepth 1 -maxdepth 1 -xdev -exec rm -rf {} + | |||
| if owned_by_root "${path}" ; then | |||
There was a problem hiding this comment.
can't tmpfiles.d rules create dirs not owned by root by design ? so this basically wedges the state after a single run ?
There was a problem hiding this comment.
Directory creation is refused only when a directory with the same name, owned by root already exists.
Removing directories owned by root creates potential a security risk.
Changing ownership of directories owned by root creates potential a security risk.
Only the system administrator should be able to knowingly remove directories owned by root or change ownership.
You started your alternative impl in C++, I guess that can be a valid path forward, the rust impl of the parser is already done and has at least few tests, I guess it could be freshen and documented for those that like to try that way as well. |
|
i started a rewrite because the systemd one wasn't buildable in isolation. that has changed, so i don't feel the need to pursue my own version anymore. |
Signed-off-by: Sandio Araico Sanchez [email protected]
Bug #540006
hardened mode for opentmpfiles
Ignore some recursive options
Refuse to remove root-owned dirs and files
Refuse to chmod/chdir/chown user-owned dirs and files
Check non-existence before creating a directory
Ensure directory has been newly created before chown/chmod/chgrp
exit on error