| 1 |
On 2020-11-26 21:36, Michael Orlitzky wrote: |
| 2 |
> Most of these security issues were fixed in systemd-tmpfiles years ago, |
| 3 |
> and you can easily find upstream tmpfiles.d entries that contain e.g. |
| 4 |
> "Z" entries. In that case, the upstream file is not in error, and root |
| 5 |
> doesn't have to be actively tricked into installing anything -- it will |
| 6 |
> just happen. |
| 7 |
|
| 8 |
I disagree here: Packages installing tmpfiles configs requiring |
| 9 |
recursive chown on each boot are doing something wrong from my P.O.V. |
| 10 |
like you can never safely do that (you can only take precaution like not |
| 11 |
following symlinks but in this case you don't do what you were asked to |
| 12 |
do so you shouldn't return 'Yup, I chowned everything like you asked me |
| 13 |
to do'). |
| 14 |
|
| 15 |
|
| 16 |
> Opentmpfiles literally cannot fix this. There is no POSIX API to safely |
| 17 |
> handle hardlinks. At best it can be reduced to the same race condition |
| 18 |
> we have in checkpath, but the entire project would have to be rewritten |
| 19 |
> in C to accomplish even that. |
| 20 |
|
| 21 |
Note that hardlinks aren't even fixed for systemd's tmpfiles provider. |
| 22 |
It will always rely on fs.protected_hardlinks for example. And checking |
| 23 |
for hardlinks like happened to address CVE-2017-18078 will create |
| 24 |
another TOCTOU race. Where is the follow-up report for this? |
| 25 |
|
| 26 |
In short: As long as it is possible for attacker to write to directory |
| 27 |
you are working on you can never do mentioned things in a safe way. You |
| 28 |
first have to revoke access for everyone except you and then you can |
| 29 |
start checking file per file... but *no* implementation is doing |
| 30 |
something like that. |
| 31 |
|
| 32 |
And keep in mind: We are talking about an attack vector where we already |
| 33 |
assume someone successfully compromised an application and can now do |
| 34 |
everything the application user can do for which we do the work in |
| 35 |
tmpfiles config. Saying that systemd's implementation is more secure |
| 36 |
than OpenTmpfiles' implementation when you are still able to escalate |
| 37 |
privileges is very misleading. |
| 38 |
|
| 39 |
|
| 40 |
-- |
| 41 |
Regards, |
| 42 |
Thomas Deutschmann / Gentoo Linux Developer |
| 43 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives