Re: Some ostree observations

[Colin Walters <walters verbum org>]

On Tue, Feb 25, 2014 at 4:24 AM, Florian Weimer <fweimer redhat com> wrote:

I see in strace that something is calling lsetxattr with a full path. This is racy because the "l" part only applies to the final component of the path. Other SELinux utilities have this bug as well. A complete fix needs kernel changes and probably a new system call (fsetxattrat).

You mean lsetxattrat() - one can't presently get a fd for a symlink (to my knowledge).

And right.  There's nothing I can do about it.  If you read the code you'll note that it's generally carefully written to use the *at() variants wherever possible.  Except it's not possible there.

This was all *really* painful for me because I started a large rewrite to use *at() and only very late in the game realized there was no lsetxattrat(), and had to go back and rewrite everything to pass a directory fd *and* the path, and just use the path for lsetxattr().

Ok, there is one thing I could do, which is:

fchdir(dfd);

lsetxattr("linkname", ...)

However...first I'd have to carefully ensure that everything *else* was using either fully qualified paths or *at() functions.  A command line argument like --repo=repo would have to be fully qualified internally (it is now, but there are others).

And second since OSTree is multithreaded, I'd have to have a mutex around the above.

And thirdly since OSTree is a library, I'd be calling chdir() behind the application's back, which is just evil.

You're right though that there are presently directories in /etc such as /etc/polkit-1/rules.d which are writable by non-root system users.

I think so far we've mostly gotten away with this - a e.g. a compromised polkitd is going to have other vectors for escalation.

This wasn't based on source code review, I saw it when running "ostree admin upgrade" on a hostile network. It's not clear to me how this happened. I can try to build a proper reproducer.

Hmm, interesting.  Yes, a reproducer would be good.  Can you also elaborate on "hostile network"?  Did you write custom scripts to target OSTree content or are you using something generic which just corrupts generic HTTP requests?