| 1 |
On Fri, Mar 11, 2022 at 1:23 PM Mark Knecht <markknecht@×××××.com> wrote: |
| 2 |
> |
| 3 |
> To me the overriding idea of not letting any user, including root, |
| 4 |
> mess around in a pipe makes logical sense, but as the OP has showed I |
| 5 |
> guess there were valid uses for this feature pre-patch, and it seems |
| 6 |
> that a user can override the feature by setting some bits if they need |
| 7 |
> to and really think they know what they are doing. |
| 8 |
|
| 9 |
There has been a long history of exploits on Unix involving places |
| 10 |
like /tmp because it is so easy for different users to step on each |
| 11 |
other's toes, possibly deliberately. The sorts of things that can go |
| 12 |
wrong are usually not intuitive, though anybody creating files in a |
| 13 |
world/group-writable location really should be aware of them. This is |
| 14 |
also the reason why you should never have "." in your path. |
| 15 |
|
| 16 |
Usually attacks work by predicting some file that a root-controlled |
| 17 |
process is about to create, and then creating it before the process |
| 18 |
does, so that the process ends up opening an existing file that you |
| 19 |
control instead of a new file that it controls. Programmers sometimes |
| 20 |
anticipate issues and create their own safeguards, but fail to |
| 21 |
understand race conditions so there can be a time gap between after |
| 22 |
the sanity checks are run and when the file is created. |
| 23 |
|
| 24 |
There is also a principle in security in general that suggests that |
| 25 |
any situation where data can pass between two different privilege |
| 26 |
levels needs to be safeguarded by default. I believe there are |
| 27 |
operating system models (probably including SELinux) that block such |
| 28 |
flows/transitions by default, and force programmers to explicitly |
| 29 |
define them so that they can't happen inadvertently. Basically if a |
| 30 |
non-privileged process can only interact with a privileged process via |
| 31 |
very tightly controlled APIs then it is much easier to secure the |
| 32 |
process, even if a programmer can't anticipate all the ways that such |
| 33 |
an interaction might occur. |
| 34 |
|
| 35 |
In this particular case it just sounds like you need to open the file |
| 36 |
without using O_CREAT if you intend to open an existing process owned |
| 37 |
by another user, and if you intend to create a new file then you can |
| 38 |
use O_CREAT and if the system call fails that is a feature and not a |
| 39 |
bug. This safeguard forces the programmer to explicitly communicate |
| 40 |
to the kernel if it intended to open an existing file owned by a |
| 41 |
non-root user, vs getting tricked into it when it intended to create a |
| 42 |
new one. You can catch the failure and try again with a different |
| 43 |
name if you had wanted to create a temp file. |
| 44 |
|
| 45 |
-- |
| 46 |
Rich |
Archives