From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/6954 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: realpath() and setfsuid programs Date: Sat, 7 Feb 2015 07:26:03 -0500 Message-ID: <20150207122603.GU23507@brightrain.aerifal.cx> References: <20150207095354.620d2fe5@vostro> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1423311985 4844 80.91.229.3 (7 Feb 2015 12:26:25 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 7 Feb 2015 12:26:25 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-6967-gllmg-musl=m.gmane.org@lists.openwall.com Sat Feb 07 13:26:24 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YK4Sp-0005rO-If for gllmg-musl@m.gmane.org; Sat, 07 Feb 2015 13:26:19 +0100 Original-Received: (qmail 11525 invoked by uid 550); 7 Feb 2015 12:26:17 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 11504 invoked from network); 7 Feb 2015 12:26:16 -0000 Content-Disposition: inline In-Reply-To: <20150207095354.620d2fe5@vostro> User-Agent: Mutt/1.5.21 (2010-09-15) Original-Sender: Rich Felker Xref: news.gmane.org gmane.linux.lib.musl.general:6954 Archived-At: On Sat, Feb 07, 2015 at 09:53:54AM +0200, Timo Teras wrote: > Hi, > > It seems realpath() does not work in binaries using setfsuid(). (At > least on grsec kernels, vanilla kernel might be affected too.) > > The problem is that realpath() opens the file, and then > uses just readlink on /proc/self/fd/ to read the canonicalized > path. > > However, /proc/self/fd is not accessible if setfsuid() has been used to > drop privileges. > > The problem I'm looking at in this case is fuse. fusermount, the > suid wrapper to do user fuse mounts, seems to basically do: > oldfsuid = setfsuid(getuid()) > oldfsgid = setfsgid(getgid()) > take realpath of mountpoint > chdir("/") > setfsuid(oldfsuid) > setfsgid(oldfsgid) > > I believe they want to drop privileges so it works as also access check > to the mount point directory. As realpath() in practice checks that the > user has access to the entry too. Could you clarify what you think the security intent of this code is? As far as I can tell it's nonsense. realpath is not usable for much of anything security-related; in particular, it's non-atomic and subject to all sorts of trickery involving renaming/moving directories during its operation, even moreso when it's done component-by-component in userspace. Why is the check not simply an ownership check for the mount point? I suspect it has to do with the need to pass a pathname rather than fd to mount, which is subject to renaming/moving races, but the realpath call would be subject to the same and worse. Presumably the correct way to do this is to open a fd to the mountpoint then pass /proc/self/fd/%d to the mount function after checking ownership. > This works glibc, as realpath() canonicalizes the path > component-by-component in userland. But musl breaks due to the /proc > not being accessible while privileges dropped. > > Any suggestions? I think first we should figure out if the code even makes sense. I suspect it's a bug. Rich