https://bugzilla.suse.com/show_bug.cgi?id=1176742 https://bugzilla.suse.com/show_bug.cgi?id=1176742#c6 --- Comment #6 from Matthias Gerstner <matthias.gerstner@suse.com> --- (In reply to fvogt@suse.com from comment #4)

(In reply to Matthias Gerstner from comment #3)

...

(In reply to fvogt@suse.com from comment #1)

...

I had a quick look at the helper and while it prevents arbitrary arguments to be passed (the absolute path has to be below /dev), this can probably be circumvented by sending a file descriptor over dbus and passing /dev/fd/X (should be predictable) as argument.

Yes this would be possible, but it requires the attacker to open the file in advance (i.e. he needs to have certain access rights anyway). It could be combined with a symlink attack in the path that /dev/fd/X is pointing to.

Shouldn't even be necessary. open with O_PATH doesn't require privileges like that and smartctl seems to dereference the passed path anyway...

This is only partly valid. For opening with O_PATH you still need execute permission on the involved directories.

Definitely. IIRC I've heard of a library which implements several of such primitives in a secure way, so if that's license compatible it could be used (or copied, as it's past dep freeze). I don't know where I found that anymore though, maybe you know something?

Yes the library that Malte mentioned probably. I'm not sure if it is production ready yet, though. Since the KDE seems to have a lot of uses cases of this kind it could also be a solution to provide this path security check algorithm in some suitable framework library. Most of the time what is needed is simply a path that is known not to be under control of anybody else but root. -- You are receiving this mail because: You are on the CC list for the bug.