From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: realpath() and setfsuid programs
Date: Sat, 7 Feb 2015 07:26:03 -0500 [thread overview]
Message-ID: <20150207122603.GU23507@brightrain.aerifal.cx> (raw)
In-Reply-To: <20150207095354.620d2fe5@vostro>
On Sat, Feb 07, 2015 at 09:53:54AM +0200, Timo Teras wrote:
> Hi,
>
> It seems realpath() does not work in binaries using setfsuid(). (At
> least on grsec kernels, vanilla kernel might be affected too.)
>
> The problem is that realpath() opens the file, and then
> uses just readlink on /proc/self/fd/<fd> to read the canonicalized
> path.
>
> However, /proc/self/fd is not accessible if setfsuid() has been used to
> drop privileges.
>
> The problem I'm looking at in this case is fuse. fusermount, the
> suid wrapper to do user fuse mounts, seems to basically do:
> oldfsuid = setfsuid(getuid())
> oldfsgid = setfsgid(getgid())
> take realpath of mountpoint
> chdir("/")
> setfsuid(oldfsuid)
> setfsgid(oldfsgid)
>
> I believe they want to drop privileges so it works as also access check
> to the mount point directory. As realpath() in practice checks that the
> user has access to the entry too.
Could you clarify what you think the security intent of this code is?
As far as I can tell it's nonsense. realpath is not usable for much of
anything security-related; in particular, it's non-atomic and subject
to all sorts of trickery involving renaming/moving directories during
its operation, even moreso when it's done component-by-component in
userspace.
Why is the check not simply an ownership check for the mount point? I
suspect it has to do with the need to pass a pathname rather than fd
to mount, which is subject to renaming/moving races, but the realpath
call would be subject to the same and worse. Presumably the correct
way to do this is to open a fd to the mountpoint then pass
/proc/self/fd/%d to the mount function after checking ownership.
> This works glibc, as realpath() canonicalizes the path
> component-by-component in userland. But musl breaks due to the /proc
> not being accessible while privileges dropped.
>
> Any suggestions?
I think first we should figure out if the code even makes sense. I
suspect it's a bug.
Rich
next prev parent reply other threads:[~2015-02-07 12:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-07 7:53 Timo Teras
2015-02-07 12:26 ` Rich Felker [this message]
2015-02-07 12:32 ` Rich Felker
2015-02-07 14:28 ` Timo Teras
2015-02-07 16:04 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150207122603.GU23507@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).