Re: Some ostree observations

On 02/25/2014 06:26 PM, Colin Walters wrote:
On Tue, Feb 25, 2014 at 4:24 AM, Florian Weimer <fweimer redhat com> wrote:
I see in strace that something is calling lsetxattr with a full path.
This is racy because the "l" part only applies to the final component
of the path. Other SELinux utilities have this bug as well. A complete
fix needs kernel changes and probably a new system call (fsetxattrat).

You mean lsetxattrat() - one can't presently get a fd for a symlink (to
my knowledge).

You could use lsetxattr and /proc/self/fd/%d/%s. It shows up as a symlink, but no symlink resolution is performed. It will still be vulnerable to attacks based on hard links. As a result of your linking farms, I don't think you'll be able to defend against those. Regular systems could use O_PATH, fstatat and fsetxattrat(AT_EMPTY_PATH) to deal with this,

You're right though that there are presently directories in /etc such as
/etc/polkit-1/rules.d which are writable by non-root system users.

Yes, I saw those, but I think they are harmless, for the reason you mentioned.

This wasn't based on source code review, I saw it when running "ostree
admin upgrade" on a hostile network. It's not clear to me how this
happened. I can try to build a proper reproducer.

Hmm, interesting.  Yes, a reproducer would be good.  Can you also
elaborate on "hostile network"?  Did you write custom scripts to target
OSTree content or are you using something generic which just corrupts
generic HTTP requests?

It was misbehaving custom script.  I'll try to recreate the situation.

Florian Weimer / Red Hat Product Security Team

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]