1 |
On Fri, Mar 11, 2022 at 1:23 PM Mark Knecht <markknecht@×××××.com> wrote: |
2 |
> |
3 |
> To me the overriding idea of not letting any user, including root, |
4 |
> mess around in a pipe makes logical sense, but as the OP has showed I |
5 |
> guess there were valid uses for this feature pre-patch, and it seems |
6 |
> that a user can override the feature by setting some bits if they need |
7 |
> to and really think they know what they are doing. |
8 |
|
9 |
There has been a long history of exploits on Unix involving places |
10 |
like /tmp because it is so easy for different users to step on each |
11 |
other's toes, possibly deliberately. The sorts of things that can go |
12 |
wrong are usually not intuitive, though anybody creating files in a |
13 |
world/group-writable location really should be aware of them. This is |
14 |
also the reason why you should never have "." in your path. |
15 |
|
16 |
Usually attacks work by predicting some file that a root-controlled |
17 |
process is about to create, and then creating it before the process |
18 |
does, so that the process ends up opening an existing file that you |
19 |
control instead of a new file that it controls. Programmers sometimes |
20 |
anticipate issues and create their own safeguards, but fail to |
21 |
understand race conditions so there can be a time gap between after |
22 |
the sanity checks are run and when the file is created. |
23 |
|
24 |
There is also a principle in security in general that suggests that |
25 |
any situation where data can pass between two different privilege |
26 |
levels needs to be safeguarded by default. I believe there are |
27 |
operating system models (probably including SELinux) that block such |
28 |
flows/transitions by default, and force programmers to explicitly |
29 |
define them so that they can't happen inadvertently. Basically if a |
30 |
non-privileged process can only interact with a privileged process via |
31 |
very tightly controlled APIs then it is much easier to secure the |
32 |
process, even if a programmer can't anticipate all the ways that such |
33 |
an interaction might occur. |
34 |
|
35 |
In this particular case it just sounds like you need to open the file |
36 |
without using O_CREAT if you intend to open an existing process owned |
37 |
by another user, and if you intend to create a new file then you can |
38 |
use O_CREAT and if the system call fails that is a feature and not a |
39 |
bug. This safeguard forces the programmer to explicitly communicate |
40 |
to the kernel if it intended to open an existing file owned by a |
41 |
non-root user, vs getting tricked into it when it intended to create a |
42 |
new one. You can catch the failure and try again with a different |
43 |
name if you had wanted to create a temp file. |
44 |
|
45 |
-- |
46 |
Rich |