From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/6955 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: realpath() and setfsuid programs Date: Sat, 7 Feb 2015 07:32:43 -0500 Message-ID: <20150207123243.GV23507@brightrain.aerifal.cx> References: <20150207095354.620d2fe5@vostro> <20150207122603.GU23507@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1423312378 10590 80.91.229.3 (7 Feb 2015 12:32:58 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 7 Feb 2015 12:32:58 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-6968-gllmg-musl=m.gmane.org@lists.openwall.com Sat Feb 07 13:32:57 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YK4ZF-0000xx-HE for gllmg-musl@m.gmane.org; Sat, 07 Feb 2015 13:32:57 +0100 Original-Received: (qmail 16253 invoked by uid 550); 7 Feb 2015 12:32:56 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 16245 invoked from network); 7 Feb 2015 12:32:55 -0000 Content-Disposition: inline In-Reply-To: <20150207122603.GU23507@brightrain.aerifal.cx> User-Agent: Mutt/1.5.21 (2010-09-15) Original-Sender: Rich Felker Xref: news.gmane.org gmane.linux.lib.musl.general:6955 Archived-At: On Sat, Feb 07, 2015 at 07:26:03AM -0500, Rich Felker wrote: > On Sat, Feb 07, 2015 at 09:53:54AM +0200, Timo Teras wrote: > > Hi, > > > > It seems realpath() does not work in binaries using setfsuid(). (At > > least on grsec kernels, vanilla kernel might be affected too.) > > > > The problem is that realpath() opens the file, and then > > uses just readlink on /proc/self/fd/ to read the canonicalized > > path. > > > > However, /proc/self/fd is not accessible if setfsuid() has been used to > > drop privileges. > > > > The problem I'm looking at in this case is fuse. fusermount, the > > suid wrapper to do user fuse mounts, seems to basically do: > > oldfsuid = setfsuid(getuid()) > > oldfsgid = setfsgid(getgid()) > > take realpath of mountpoint > > chdir("/") > > setfsuid(oldfsuid) > > setfsgid(oldfsgid) > > > > I believe they want to drop privileges so it works as also access check > > to the mount point directory. As realpath() in practice checks that the > > user has access to the entry too. > > Could you clarify what you think the security intent of this code is? > As far as I can tell it's nonsense. realpath is not usable for much of > anything security-related; in particular, it's non-atomic and subject > to all sorts of trickery involving renaming/moving directories during > its operation, even moreso when it's done component-by-component in > userspace. > > Why is the check not simply an ownership check for the mount point? I > suspect it has to do with the need to pass a pathname rather than fd > to mount, which is subject to renaming/moving races, but the realpath > call would be subject to the same and worse. Presumably the correct > way to do this is to open a fd to the mountpoint then pass > /proc/self/fd/%d to the mount function after checking ownership. Or of course just using chdir and checking ownership of ".". Rich