| 1 |
On Fri, Mar 11, 2022 at 12:26 PM Rich Freeman <rich0@g.o> wrote: |
| 2 |
> |
| 3 |
> On Fri, Mar 11, 2022 at 1:23 PM Mark Knecht <markknecht@×××××.com> wrote: |
| 4 |
> > |
| 5 |
> > To me the overriding idea of not letting any user, including root, |
| 6 |
> > mess around in a pipe makes logical sense, but as the OP has showed I |
| 7 |
> > guess there were valid uses for this feature pre-patch, and it seems |
| 8 |
> > that a user can override the feature by setting some bits if they need |
| 9 |
> > to and really think they know what they are doing. |
| 10 |
> |
| 11 |
> There has been a long history of exploits on Unix involving places |
| 12 |
> like /tmp because it is so easy for different users to step on each |
| 13 |
> other's toes, possibly deliberately. The sorts of things that can go |
| 14 |
> wrong are usually not intuitive, though anybody creating files in a |
| 15 |
> world/group-writable location really should be aware of them. This is |
| 16 |
> also the reason why you should never have "." in your path. |
| 17 |
> |
| 18 |
> Usually attacks work by predicting some file that a root-controlled |
| 19 |
> process is about to create, and then creating it before the process |
| 20 |
> does, so that the process ends up opening an existing file that you |
| 21 |
> control instead of a new file that it controls. Programmers sometimes |
| 22 |
> anticipate issues and create their own safeguards, but fail to |
| 23 |
> understand race conditions so there can be a time gap between after |
| 24 |
> the sanity checks are run and when the file is created. |
| 25 |
> |
| 26 |
> There is also a principle in security in general that suggests that |
| 27 |
> any situation where data can pass between two different privilege |
| 28 |
> levels needs to be safeguarded by default. I believe there are |
| 29 |
> operating system models (probably including SELinux) that block such |
| 30 |
> flows/transitions by default, and force programmers to explicitly |
| 31 |
> define them so that they can't happen inadvertently. Basically if a |
| 32 |
> non-privileged process can only interact with a privileged process via |
| 33 |
> very tightly controlled APIs then it is much easier to secure the |
| 34 |
> process, even if a programmer can't anticipate all the ways that such |
| 35 |
> an interaction might occur. |
| 36 |
> |
| 37 |
> In this particular case it just sounds like you need to open the file |
| 38 |
> without using O_CREAT if you intend to open an existing process owned |
| 39 |
> by another user, and if you intend to create a new file then you can |
| 40 |
> use O_CREAT and if the system call fails that is a feature and not a |
| 41 |
> bug. This safeguard forces the programmer to explicitly communicate |
| 42 |
> to the kernel if it intended to open an existing file owned by a |
| 43 |
> non-root user, vs getting tricked into it when it intended to create a |
| 44 |
> new one. You can catch the failure and try again with a different |
| 45 |
> name if you had wanted to create a temp file. |
| 46 |
> |
| 47 |
> -- |
| 48 |
> Rich |
| 49 |
> |
| 50 |
|
| 51 |
Excellent info Rich. Thanks! |
| 52 |
|
| 53 |
- Mark |
Archives