From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: realpath() and setfsuid programs
Date: Sat, 7 Feb 2015 07:32:43 -0500 [thread overview]
Message-ID: <20150207123243.GV23507@brightrain.aerifal.cx> (raw)
In-Reply-To: <20150207122603.GU23507@brightrain.aerifal.cx>
On Sat, Feb 07, 2015 at 07:26:03AM -0500, Rich Felker wrote:
> On Sat, Feb 07, 2015 at 09:53:54AM +0200, Timo Teras wrote:
> > Hi,
> >
> > It seems realpath() does not work in binaries using setfsuid(). (At
> > least on grsec kernels, vanilla kernel might be affected too.)
> >
> > The problem is that realpath() opens the file, and then
> > uses just readlink on /proc/self/fd/<fd> to read the canonicalized
> > path.
> >
> > However, /proc/self/fd is not accessible if setfsuid() has been used to
> > drop privileges.
> >
> > The problem I'm looking at in this case is fuse. fusermount, the
> > suid wrapper to do user fuse mounts, seems to basically do:
> > oldfsuid = setfsuid(getuid())
> > oldfsgid = setfsgid(getgid())
> > take realpath of mountpoint
> > chdir("/")
> > setfsuid(oldfsuid)
> > setfsgid(oldfsgid)
> >
> > I believe they want to drop privileges so it works as also access check
> > to the mount point directory. As realpath() in practice checks that the
> > user has access to the entry too.
>
> Could you clarify what you think the security intent of this code is?
> As far as I can tell it's nonsense. realpath is not usable for much of
> anything security-related; in particular, it's non-atomic and subject
> to all sorts of trickery involving renaming/moving directories during
> its operation, even moreso when it's done component-by-component in
> userspace.
>
> Why is the check not simply an ownership check for the mount point? I
> suspect it has to do with the need to pass a pathname rather than fd
> to mount, which is subject to renaming/moving races, but the realpath
> call would be subject to the same and worse. Presumably the correct
> way to do this is to open a fd to the mountpoint then pass
> /proc/self/fd/%d to the mount function after checking ownership.
Or of course just using chdir and checking ownership of ".".
Rich
next prev parent reply other threads:[~2015-02-07 12:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-07 7:53 Timo Teras
2015-02-07 12:26 ` Rich Felker
2015-02-07 12:32 ` Rich Felker [this message]
2015-02-07 14:28 ` Timo Teras
2015-02-07 16:04 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150207123243.GV23507@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).