1 |
On 2020-11-26 21:36, Michael Orlitzky wrote: |
2 |
> Most of these security issues were fixed in systemd-tmpfiles years ago, |
3 |
> and you can easily find upstream tmpfiles.d entries that contain e.g. |
4 |
> "Z" entries. In that case, the upstream file is not in error, and root |
5 |
> doesn't have to be actively tricked into installing anything -- it will |
6 |
> just happen. |
7 |
|
8 |
I disagree here: Packages installing tmpfiles configs requiring |
9 |
recursive chown on each boot are doing something wrong from my P.O.V. |
10 |
like you can never safely do that (you can only take precaution like not |
11 |
following symlinks but in this case you don't do what you were asked to |
12 |
do so you shouldn't return 'Yup, I chowned everything like you asked me |
13 |
to do'). |
14 |
|
15 |
|
16 |
> Opentmpfiles literally cannot fix this. There is no POSIX API to safely |
17 |
> handle hardlinks. At best it can be reduced to the same race condition |
18 |
> we have in checkpath, but the entire project would have to be rewritten |
19 |
> in C to accomplish even that. |
20 |
|
21 |
Note that hardlinks aren't even fixed for systemd's tmpfiles provider. |
22 |
It will always rely on fs.protected_hardlinks for example. And checking |
23 |
for hardlinks like happened to address CVE-2017-18078 will create |
24 |
another TOCTOU race. Where is the follow-up report for this? |
25 |
|
26 |
In short: As long as it is possible for attacker to write to directory |
27 |
you are working on you can never do mentioned things in a safe way. You |
28 |
first have to revoke access for everyone except you and then you can |
29 |
start checking file per file... but *no* implementation is doing |
30 |
something like that. |
31 |
|
32 |
And keep in mind: We are talking about an attack vector where we already |
33 |
assume someone successfully compromised an application and can now do |
34 |
everything the application user can do for which we do the work in |
35 |
tmpfiles config. Saying that systemd's implementation is more secure |
36 |
than OpenTmpfiles' implementation when you are still able to escalate |
37 |
privileges is very misleading. |
38 |
|
39 |
|
40 |
-- |
41 |
Regards, |
42 |
Thomas Deutschmann / Gentoo Linux Developer |
43 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |