1 |
On Fri, Mar 11, 2022 at 12:26 PM Rich Freeman <rich0@g.o> wrote: |
2 |
> |
3 |
> On Fri, Mar 11, 2022 at 1:23 PM Mark Knecht <markknecht@×××××.com> wrote: |
4 |
> > |
5 |
> > To me the overriding idea of not letting any user, including root, |
6 |
> > mess around in a pipe makes logical sense, but as the OP has showed I |
7 |
> > guess there were valid uses for this feature pre-patch, and it seems |
8 |
> > that a user can override the feature by setting some bits if they need |
9 |
> > to and really think they know what they are doing. |
10 |
> |
11 |
> There has been a long history of exploits on Unix involving places |
12 |
> like /tmp because it is so easy for different users to step on each |
13 |
> other's toes, possibly deliberately. The sorts of things that can go |
14 |
> wrong are usually not intuitive, though anybody creating files in a |
15 |
> world/group-writable location really should be aware of them. This is |
16 |
> also the reason why you should never have "." in your path. |
17 |
> |
18 |
> Usually attacks work by predicting some file that a root-controlled |
19 |
> process is about to create, and then creating it before the process |
20 |
> does, so that the process ends up opening an existing file that you |
21 |
> control instead of a new file that it controls. Programmers sometimes |
22 |
> anticipate issues and create their own safeguards, but fail to |
23 |
> understand race conditions so there can be a time gap between after |
24 |
> the sanity checks are run and when the file is created. |
25 |
> |
26 |
> There is also a principle in security in general that suggests that |
27 |
> any situation where data can pass between two different privilege |
28 |
> levels needs to be safeguarded by default. I believe there are |
29 |
> operating system models (probably including SELinux) that block such |
30 |
> flows/transitions by default, and force programmers to explicitly |
31 |
> define them so that they can't happen inadvertently. Basically if a |
32 |
> non-privileged process can only interact with a privileged process via |
33 |
> very tightly controlled APIs then it is much easier to secure the |
34 |
> process, even if a programmer can't anticipate all the ways that such |
35 |
> an interaction might occur. |
36 |
> |
37 |
> In this particular case it just sounds like you need to open the file |
38 |
> without using O_CREAT if you intend to open an existing process owned |
39 |
> by another user, and if you intend to create a new file then you can |
40 |
> use O_CREAT and if the system call fails that is a feature and not a |
41 |
> bug. This safeguard forces the programmer to explicitly communicate |
42 |
> to the kernel if it intended to open an existing file owned by a |
43 |
> non-root user, vs getting tricked into it when it intended to create a |
44 |
> new one. You can catch the failure and try again with a different |
45 |
> name if you had wanted to create a temp file. |
46 |
> |
47 |
> -- |
48 |
> Rich |
49 |
> |
50 |
|
51 |
Excellent info Rich. Thanks! |
52 |
|
53 |
- Mark |