[Bug 1170161] New: AUDIT-FIND: enlightenment: enlightenment_system: _store_mount_verify() follows symlinks in /media/$user
http://bugzilla.suse.com/show_bug.cgi?id=1170161 Bug ID: 1170161 Summary: AUDIT-FIND: enlightenment: enlightenment_system: _store_mount_verify() follows symlinks in /media/$user Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: simonf.lees@suse.com Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: matthias.gerstner@suse.com, security-team@suse.de Blocks: 1169238 Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1169238 This function rejects relative path components in the target mount path, unlike its sibbling function described in b). However, it is unaware of symlinks. Furthermore it makes sure that /media/$user and /media/$user/sub are existing and are owned by the $uid:$gid of the unprivileged user. - by placing a symlink in /media/$user/sub the setuid-root binary can be tricked to create attacker owned directories in arbitrary locations. This can quite likely lead to full root access by creating user owned directories e.g. beneath /etc that are then used by other privileged programs. - if the attacker wins a race condition he can also cause the setuid-root binary to pass ownership of arbitrary existing directories to himself. The `_store_mount_verify()` functions performs a single `stat()` call on the target mount path. Only if it exists and is not owned by the unprivileged user, the execution is aborted. Therefore if the attacker places a suitable symlink in the target path just after this `stat()` is performed by the setuid-root binary, the following `_mkdir()` invocation will `mkdir()` and `chown()` the path components nonetheless. This allows full root system access by gaining ownership of e.g. /etc or /root. To fix this I suggest not to pass ownership of /media/$user or of any sub-directories to the unprivileged user. If /media/$user is user controlled then the mount operation should be rejected. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170161 http://bugzilla.suse.com/show_bug.cgi?id=1170161#c1 --- Comment #1 from Simon Lees <simonf.lees@suse.com> --- Upstream: https://phab.enlightenment.org/T8670 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170161 http://bugzilla.suse.com/show_bug.cgi?id=1170161#c2 --- Comment #2 from Simon Lees <simonf.lees@suse.com> --- Upstream Fix: https://phab.enlightenment.org/rE0c79c6317b92d9a5dd2548bb34625c6ed03018d7 enlightenment is not actually using this codepath yet. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170161 http://bugzilla.suse.com/show_bug.cgi?id=1170161#c3 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #3 from Matthias Gerstner <matthias.gerstner@suse.com> --- The upstream fix should deal with the problem at hand. I still need to check what happens with symlinks. Now the code performs a chown to 0:0 for the /media and /media/$user directory. It stills seems a bit forced, could potentially clash with other mount managers. But there's a note that they think about using /run/media instead. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170161 http://bugzilla.suse.com/show_bug.cgi?id=1170161#c4 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- As I said before this logic looks still a bit shaky. The `_mkdir()` function still performs a `chown()`, where a `lchown()` would be more on the safe side. Theoretically, if another mount manager creates user owned /media/$USER directories, then the symlink attack would still basically work at least one time. A user could then place /media/$USER/link -> /etc. enlightenment_system would perform: mkdir /media; chown 0:0 /media mkdir /media/$USER; chown 0:0 /media/$USER mkdir /media/$USER/link; chown 0:0 /media/$USER/link Since the chown is now towards 0:0 the attack isn't that useful any more. But a mount over a symlink could still cause trouble. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170161 http://bugzilla.suse.com/show_bug.cgi?id=1170161#c5 --- Comment #5 from Matthias Gerstner <matthias.gerstner@suse.com> --- Created attachment 838069 --> http://bugzilla.suse.com/attachment.cgi?id=838069&action=edit patch to harden _mkdir() -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170161 http://bugzilla.suse.com/show_bug.cgi?id=1170161#c6 --- Comment #6 from Matthias Gerstner <matthias.gerstner@suse.com> --- In attachment 838069 you can find a suggested patch that would make me sleep better regarding this. Can you approach upstream with this? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1170161 http://bugzilla.suse.com/show_bug.cgi?id=1170161#c7 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #7 from Matthias Gerstner <matthias.gerstner@suse.com> --- Sorry I didn't mean to close this bug just yet. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1170161 https://bugzilla.suse.com/show_bug.cgi?id=1170161#c8 --- Comment #8 from Matthias Gerstner <matthias.gerstner@suse.com> --- Could I please get an update about this? Can you add the patch? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1170161 https://bugzilla.suse.com/show_bug.cgi?id=1170161#c9 --- Comment #9 from Simon Lees <simonf.lees@suse.com> --- Patch to remove the code is https://build.opensuse.org/package/view_file/X11:Enlightenment:Factory/enlig... sorry it took so long -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1170161 https://bugzilla.suse.com/show_bug.cgi?id=1170161#c10 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED --- Comment #10 from Matthias Gerstner <matthias.gerstner@suse.com> --- Thanks for addressing this. With the code removed the mkdir patch is not necessary. Closing as fixed. -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com