From: Thomas Deutschmann <whissi@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider
Date: Thu, 26 Nov 2020 23:57:59 +0100 [thread overview]
Message-ID: <df99c1fe-3073-6570-f36b-c3bcfd1c3dd2@gentoo.org> (raw)
In-Reply-To: <30208b9d-c5bd-46f3-c76c-c538812b7c5a@gentoo.org>
[-- Attachment #1.1: Type: text/plain, Size: 2092 bytes --]
On 2020-11-26 21:36, Michael Orlitzky wrote:
> Most of these security issues were fixed in systemd-tmpfiles years ago,
> and you can easily find upstream tmpfiles.d entries that contain e.g.
> "Z" entries. In that case, the upstream file is not in error, and root
> doesn't have to be actively tricked into installing anything -- it will
> just happen.
I disagree here: Packages installing tmpfiles configs requiring
recursive chown on each boot are doing something wrong from my P.O.V.
like you can never safely do that (you can only take precaution like not
following symlinks but in this case you don't do what you were asked to
do so you shouldn't return 'Yup, I chowned everything like you asked me
to do').
> Opentmpfiles literally cannot fix this. There is no POSIX API to safely
> handle hardlinks. At best it can be reduced to the same race condition
> we have in checkpath, but the entire project would have to be rewritten
> in C to accomplish even that.
Note that hardlinks aren't even fixed for systemd's tmpfiles provider.
It will always rely on fs.protected_hardlinks for example. And checking
for hardlinks like happened to address CVE-2017-18078 will create
another TOCTOU race. Where is the follow-up report for this?
In short: As long as it is possible for attacker to write to directory
you are working on you can never do mentioned things in a safe way. You
first have to revoke access for everyone except you and then you can
start checking file per file... but *no* implementation is doing
something like that.
And keep in mind: We are talking about an attack vector where we already
assume someone successfully compromised an application and can now do
everything the application user can do for which we do the work in
tmpfiles config. Saying that systemd's implementation is more secure
than OpenTmpfiles' implementation when you are still able to escalate
privileges is very misleading.
--
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
next prev parent reply other threads:[~2020-11-26 22:58 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-25 21:57 [gentoo-dev] PSA: switching default tmpfiles virtual provider Georgy Yakovlev
2020-11-26 6:55 ` Piotr Karbowski
2020-11-29 21:50 ` William Hubbs
2020-11-30 21:56 ` Mike Gilbert
2020-11-26 15:07 ` Thomas Deutschmann
2020-11-26 20:36 ` Michael Orlitzky
2020-11-26 22:57 ` Thomas Deutschmann [this message]
2020-11-26 23:25 ` Michael Orlitzky
2020-11-26 22:37 ` Peter Stuge
2020-11-26 22:42 ` Sam James
2020-11-26 22:45 ` Michael Orlitzky
2020-11-26 22:58 ` David Seifert
2020-11-28 19:16 ` Georgy Yakovlev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df99c1fe-3073-6570-f36b-c3bcfd1c3dd2@gentoo.org \
--to=whissi@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox