lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100531220000.GI4098@outflux.net>
Date:	Mon, 31 May 2010 15:00:00 -0700
From:	Kees Cook <kees.cook@...onical.com>
To:	Al Viro <viro@...IV.linux.org.uk>
Cc:	Alan Cox <alan@...rguk.ukuu.org.uk>, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org,
	Randy Dunlap <rdunlap@...otime.net>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Jiri Kosina <jkosina@...e.cz>,
	Dave Young <hidave.darkstar@...il.com>,
	Martin Schwidefsky <schwidefsky@...ibm.com>,
	James Morris <jmorris@...ei.org>,
	Eric Paris <eparis@...hat.com>,
	David Howells <dhowells@...hat.com>,
	Ingo Molnar <mingo@...e.hu>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Tim Gardner <tim.gardner@...onical.com>,
	"Serge E. Hallyn" <serue@...ibm.com>
Subject: Re: [PATCH v2] fs: block cross-uid sticky symlinks

Hi Al,

On Mon, May 31, 2010 at 08:52:30PM +0100, Al Viro wrote:
> On Mon, May 31, 2010 at 12:07:54PM -0700, Kees Cook wrote:
> > IIRC, screen, when setuid, allows users to share screen sessions (following
> > some system-defined ACLs) but it does it via the /tmp directory trees it
> > creates.  Per-user /tmp would break this (but yes, it's solvable using some
> > kind of /var/lib/screen which maybe even already exists).
> 
> screen(1) does *not* put directories in /tmp these days, TYVM.
> 
> al@...e:~/linux/trees/vfs-next$ ls -l /var/run/screen/
> total 1
> drwx------ 2 al al 1024 May 20 21:50 S-al

Okay, good; that's a relief.

> In any case, the suggested "improvement" breaks realistic use cases, AFAICS.
> In particular,
> 
> cd /tmp
> tar jxf foo-2.42.orig.tar.bz2
> <...>
> tar jxf foo-gtk-wank-wank-wank-2.69.orig.tar.bz2
> <...>
> ln -s foo-gtk-wank-wank-wank-2.69/docs/GNOME/design/ crap
> <...>
> lpr crap/taste-is-optional.ps
> lpr crap/why-options-are-wrong.ps
> 
> is going to break with that, isn't it?

Nope.  To be fair, it depends on the implementation of of LPR.  In the
case of CUPS, this is fine since lpr will run as the local user, follow
the symlink and read the file contents before POSTing the contents to
the CUPS server.  The privilege boundary is crossed at the network,
not the filesystem in this case.

I would note however that without the symlink following patch a hypothetical
attacker would be able to race you for the "foo-gtk-wank-wank-wank-2.69"
entry, or the "crap" entry, since either could be directed out from under
"tar" and "ln" to symlinks controlled by the attacker.  Unpacking archives
in a sticky world-writable directory is dangerous without this symlink
following patch.

-Kees

-- 
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ