Comment # 6 on bug 1176742 from Matthias Gerstner

(In reply to fvogt@suse.com from comment #4)
> (In reply to Matthias Gerstner from comment #3)
> > (In reply to fvogt@suse.com from comment #1)
> > > I had a quick look at the helper and while it prevents arbitrary arguments
> > > to be passed (the absolute path has to be below /dev), this can probably be
> > > circumvented by sending a file descriptor over dbus and passing /dev/fd/X
> > > (should be predictable) as argument.
> > 
> > Yes this would be possible, but it requires the attacker to open the file in
> > advance (i.e. he needs to have certain access rights anyway). It could be
> > combined with a symlink attack in the path that /dev/fd/X is pointing to.
> 
> Shouldn't even be necessary. open with O_PATH doesn't require privileges like
> that and smartctl seems to dereference the passed path anyway...

This is only partly valid. For opening with O_PATH you still need execute
permission on the involved directories.

> Definitely. IIRC I've heard of a library which implements several of such
> primitives in a secure way, so if that's license compatible it could be used
> (or copied, as it's past dep freeze). I don't know where I found that anymore
> though, maybe you know something?

Yes the library that Malte mentioned probably. I'm not sure if it is
production ready yet, though.

Since the KDE seems to have a lot of uses cases of this kind it could also be
a solution to provide this path security check algorithm in some suitable
framework library. Most of the time what is needed is simply a path that is
known not to be under control of anybody else but root.