From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A0D51138330 for ; Wed, 10 Jan 2018 23:31:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F35ACE0C62; Wed, 10 Jan 2018 23:31:27 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A3FBCE0BE5 for ; Wed, 10 Jan 2018 23:31:27 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 52281335C06 for ; Wed, 10 Jan 2018 23:31:24 +0000 (UTC) Subject: Re: [gentoo-dev] rfc: ideas for fixing OpenRC checkpath issue To: gentoo-dev@lists.gentoo.org References: <20180110000741.GA3995@whubbs1.gaikai.biz> <20180110221841.740bcd91@symphony.aura-online.co.uk> From: Michael Orlitzky Message-ID: Date: Wed, 10 Jan 2018 18:31:21 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <20180110221841.740bcd91@symphony.aura-online.co.uk> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Archives-Salt: f119694f-a768-4428-9cea-cf1c13b67083 X-Archives-Hash: 7089575cb2f1fe0a92a5d6867a228a3a On 01/10/2018 05:18 PM, James Le Cuirot wrote: > > The init script used to call chown/chmod -R, which is > obviously bad. I've compromised by only calling these on the > directories themselves (ignoring symlinks). I believe this is safe > because it's not possible to create hard linked directories these days? > Would you agree? Are you still using chown and chmod? If so, you should switch to checkpath -- chown and chmod don't even try to avoid hard links. I would be surprised to see a "chown" or "chmod" in an init script that can't be replaced by something better. The race condition that we're talking about here is trying to squeeze the last 1% of security out of checkpath; it's already much safer than chown/chmod. For example, if your script is calling chown and chmod on two directories /foo and /foo/bar, then whoever owns /foo can kill /foo/bar entirely and replace it with a hard link to /etc/passwd. When the service restarts, chown and chmod won't care that you think /foo/bar should be a directory instead.