From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/6953 Path: news.gmane.org!not-for-mail From: Timo Teras Newsgroups: gmane.linux.lib.musl.general Subject: realpath() and setfsuid programs Date: Sat, 7 Feb 2015 09:53:54 +0200 Message-ID: <20150207095354.620d2fe5@vostro> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1423295682 27689 80.91.229.3 (7 Feb 2015 07:54:42 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 7 Feb 2015 07:54:42 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-6966-gllmg-musl=m.gmane.org@lists.openwall.com Sat Feb 07 08:54:37 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YK0Dt-0004X6-4q for gllmg-musl@m.gmane.org; Sat, 07 Feb 2015 08:54:37 +0100 Original-Received: (qmail 15768 invoked by uid 550); 7 Feb 2015 07:54:34 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 15758 invoked from network); 7 Feb 2015 07:54:33 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:subject:message-id:mime-version:content-type :content-transfer-encoding; bh=9jvMNlDOhD8YGdSzan+sy4iCLCkM/GhW/ms75eB84EQ=; b=F0Yz28UUgBJj8FIZTaw10XWynKnIDuDjuOmk8SnpcoLo0SOlT2VrGkab/3q6HuF7ar WYNUxblV1MJI1uLjiqCoEBXebdRbWY+AuOFOTC8+7TjAQ3F29xKSpHIaMDmTCEJJDA3t uHC2IYoYS1fMh4nfH43UDNe78VGlSeq7mcaIjOkzyPUdezuSjWph7Oene+lBazhh/N7T JSDY+8HPuAyA+jJRNdks3LgDfRZO8ILPV2xl9Yl43eCbyvUzJbTQq6sK42N3hQNp1dTh MaOLsxMuhUHxlNRg8sBD4xFC2Y7QXsxejL3NWW+WNxozHYggpA/noeCQED3gEsAepTel qp/w== X-Received: by 10.112.236.36 with SMTP id ur4mr6179345lbc.67.1423295662009; Fri, 06 Feb 2015 23:54:22 -0800 (PST) Original-Sender: =?UTF-8?Q?Timo_Ter=C3=A4s?= X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-alpine-linux-musl) Xref: news.gmane.org gmane.linux.lib.musl.general:6953 Archived-At: Hi, It seems realpath() does not work in binaries using setfsuid(). (At least on grsec kernels, vanilla kernel might be affected too.) The problem is that realpath() opens the file, and then uses just readlink on /proc/self/fd/ to read the canonicalized path. However, /proc/self/fd is not accessible if setfsuid() has been used to drop privileges. The problem I'm looking at in this case is fuse. fusermount, the suid wrapper to do user fuse mounts, seems to basically do: oldfsuid = setfsuid(getuid()) oldfsgid = setfsgid(getgid()) take realpath of mountpoint chdir("/") setfsuid(oldfsuid) setfsgid(oldfsgid) I believe they want to drop privileges so it works as also access check to the mount point directory. As realpath() in practice checks that the user has access to the entry too. This works glibc, as realpath() canonicalizes the path component-by-component in userland. But musl breaks due to the /proc not being accessible while privileges dropped. Any suggestions? Thanks, Timo