[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Bindings to *at functions & allowing more functions to oper
|
From: |
Maxime Devos |
|
Subject: |
Re: [PATCH] Bindings to *at functions & allowing more functions to operate on ports |
|
Date: |
Sat, 27 Mar 2021 22:19:20 +0100 |
|
User-agent: |
Evolution 3.34.2 |
Hi,
[CC'ing some Guile and Guix maintainers because this is
important for the security of Guix System.]
I want to explain why these patches (and the O_FLAGS (*)
patch) should be included in Guile. Functions like "openat"
are important to avoid TOCTTOU (time-of-check to time-of-use)
vulnerabilities involving symbolic links.
For example, suppose we have a web server implemented in
Guile. Suppose the address is https://web.gnu. It allows
a local user U (and some others) to define their own web
pages to host at http://web.gnu/~U, by writing files to
/home/U/www. As there are multiple users, the server has
to run as root.
Now suppose U is the malicious kind of user. Then $U
could create a symlink at /home/U/www/maliciousity pointing
to /home/other-user/.gnupg/private-keys-v1.d/FINGERPRINT.key.
Now U could download other-user's gpg key, for example
with "wget http://web.gnu/~U/maliciousity";. Oops!
How can this vulnerability be avoided?
* Use O_NOFOLLOW to *not* follow the symbolic link.
Patch for adding O_NOFOLLOW to guile:
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=46220>.
And why do we need openat? Well, suppose the web server
is not read-only, and supports (say) WebDAV or FTP for
modifying files remotely (I mean U can remotely modify
http://web.gnu/~U). Then U could create a symlink
at /home/U/www/maliciousity pointing to /home/other-user.
Now U can peek into other-user's home directory and overwrite
files. Oops!
How can the web server avoid this?
* First open "/home/U" as usual, resulting in a port $1.
Then use (openat $1 "maliciousity" O_NOFOLLOW), resulting
in a port $2. Use (stat $2) to see if $2 is a directory
or a regular file **and** to see if $2 is owned by $2!
If necessary, recurse, etc. Display a directory listing
or display the file, etc.
How does this matter for Guix?
Guix has a TOCTTOU race:
<https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html>.
It has been partially fixed:
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=520bac7ed00a949a0391ad680de65a1498105c2b>.
However, a complete fix requires bindings to "openat".
I found another similar issue in Guix lately (not yet disclosed publicly).
While I think the conditions for this other potential security issue
to be exploitable don't ever happen in practice, I would still like
to fix this issue, and to be able to prevent similar issues from appearing
in the future.
Greetings,
Maxime.
signature.asc
Description: This is a digitally signed message part