Re: Some ostree observations

[Florian Weimer <fweimer redhat com>]

On 02/25/2014 06:26 PM, Colin Walters wrote:
> On Tue, Feb 25, 2014 at 4:24 AM, Florian Weimer <fweimer redhat com> wrote:
> > I see in strace that something is calling lsetxattr with a full path.
> > This is racy because the "l" part only applies to the final component
> > of the path. Other SELinux utilities have this bug as well. A complete
> > fix needs kernel changes and probably a new system call (fsetxattrat).
>
> You mean lsetxattrat() - one can't presently get a fd for a symlink (to
> my knowledge).

You could use lsetxattr and /proc/self/fd/%d/%s.  It shows up as a 
symlink, but no symlink resolution is performed.  It will still be 
vulnerable to attacks based on hard links.  As a result of your linking 
farms, I don't think you'll be able to defend against those.  Regular 
systems could use O_PATH, fstatat and fsetxattrat(AT_EMPTY_PATH) to deal 
with this,

> You're right though that there are presently directories in /etc such as
> /etc/polkit-1/rules.d which are writable by non-root system users.

Yes, I saw those, but I think they are harmless, for the reason you 
mentioned.

> > This wasn't based on source code review, I saw it when running "ostree
> > admin upgrade" on a hostile network. It's not clear to me how this
> > happened. I can try to build a proper reproducer.
>
> Hmm, interesting.  Yes, a reproducer would be good.  Can you also
> elaborate on "hostile network"?  Did you write custom scripts to target
> OSTree content or are you using something generic which just corrupts
> generic HTTP requests?

It was misbehaving custom script.  I'll try to recreate the situation.

--
Florian Weimer / Red Hat Product Security Team