| 1 |
On 12/4/20 1:44 AM, Dale wrote: |
| 2 |
> |
| 3 |
> Will opentmpfiles be fixed at some point or is it true that it can't be |
| 4 |
> fixed? On -dev, I think I read where one person said it can't be |
| 5 |
> fixed. In that case, switching is likely a good idea since the insecure |
| 6 |
> package can't be fixed. |
| 7 |
> |
| 8 |
|
| 9 |
The answer is a bit complicated. The first thing we need to understand |
| 10 |
that opentmpfiles is supposed to be a cross-platform (i.e. POSIX) |
| 11 |
implementation of the systemd-tmpfiles program. Systemd itself only runs |
| 12 |
on newer versions of linux, and since it has control of the entire |
| 13 |
system, it can enable those non-standard symlink and hardlink |
| 14 |
protections. So, |
| 15 |
|
| 16 |
* systemd-tmpfiles is secure, but only on linux, and only if you let |
| 17 |
it enable fs.protected_hardlinks for you. |
| 18 |
|
| 19 |
The security there comes from two places. The first is that everything |
| 20 |
was implemented carefully in C to avoid these problems, and the second |
| 21 |
is that fs.protected_hardlinks solves the otherwise-unavoidable hardlink |
| 22 |
exploits. |
| 23 |
|
| 24 |
Now for contrast, opentmpfiles is INsecure for two reasons: |
| 25 |
|
| 26 |
(1) It's written in shell script, so it doesn't have the ability to |
| 27 |
pass e.g. O_NOFOLLOW to all of the calls that might follow |
| 28 |
symlinks. And shell programs all operate on path names as opposed |
| 29 |
to file descriptors, so race conditions are impossible to avoid. |
| 30 |
|
| 31 |
(2) The fs.protected_hardlinks sysctl is not cross-platform, so if |
| 32 |
it's to fulfill its stated design goals, opentmpfiles can't rely |
| 33 |
on fs.protected_hardlinks. |
| 34 |
|
| 35 |
The first problem is fixable, but the second is not. If opentmpfiles is |
| 36 |
rewritten in C, it could be just as secure as systemd-tmpfiles... but |
| 37 |
**only on linux with fs.protected_hardlinks enabled**. |
| 38 |
|
| 39 |
It will never be both secure and cross-platform. The design of the whole |
| 40 |
tmpfiles.d thing is flawed in that regard. |
| 41 |
|
| 42 |
|
| 43 |
> |
| 44 |
> root@fireball / # sysctl -n fs.protected_hardlinks |
| 45 |
> 1 |
| 46 |
> root@fireball / # |
| 47 |
> |
| 48 |
> |
| 49 |
> Does that improve things any or does that not really help anything? |
| 50 |
> |
| 51 |
|
| 52 |
It completely fixes one of the problems (hardlinks), but does nothing |
| 53 |
for the other (non-terminal symlinks). |
Archives