From 30c848ee9ae7c4fe4f31fe763c0cb7eb9fb061d0 Mon Sep 17 00:00:00 2001 From: Mike Hibler Date: Thu, 13 Aug 2015 12:24:01 -0600 Subject: [PATCH] Deal with attempts to exploit the fact that we run as root and access files. --- apt/genilib-iocage.in | 27 ++++++++++++++++++++------- apt/genilib-jail.in | 24 ++++++++++++++++++++---- 2 files changed, 40 insertions(+), 11 deletions(-) diff --git a/apt/genilib-iocage.in b/apt/genilib-iocage.in index af141ef8f..799381046 100644 --- a/apt/genilib-iocage.in +++ b/apt/genilib-iocage.in @@ -333,8 +333,7 @@ if (system("mount -t nullfs -o ro $GENILIB $jailrootdir$GENILIB_MNT")) { my ($j_ifile,$j_ofile,$j_pfile); if ($action != 1) { my $tempdir = "/tmp/genilib/"; - if (!mkdir("$jailrootdir$tempdir", 0700) || - !chown($uid, $gid, "$jailrootdir$tempdir")) { + if (!mkdir("$jailrootdir$tempdir", 0700)) { print STDERR "Could not create geni-lib jail tempdir\n"; exit(1); } @@ -346,14 +345,12 @@ if ($action != 1) { msg("Stashing files"); if (system("cp -p $ifile $jailrootdir$j_ifile") || - ($pfile && system("cp -p $pfile $jailrootdir$j_pfile"))) { + ($pfile && system("cp -p $pfile $jailrootdir$j_pfile")) || + system("chown -R $uid:$gid $jailrootdir$tempdir")) { print STDERR "Could not populate jail\n"; exit(1); } - # - # XXX adjust the environment for the portal module to reflect the jail. - # # # XXX adjust the environment for the portal module to reflect the jail. # @@ -428,10 +425,26 @@ if ($status) { } if ($action != 1) { - if (system("cp -p $jailrootdir$j_ofile $ofile")) { + # + # Oh the joys of running as root. Now we need to take away user + # permission from the jail directory (recall the user can access + # it from outside) and then verify that the source file isn't a + # symlink (a cheap-o realpath check). Our caller is responsible + # for defending the target file. + # + my $tempdir = "/tmp/genilib"; + if (-l "$jailrootdir$tempdir" || + chown(0, -1, "$jailrootdir$tempdir") != 1) { print STDERR "Could not copy back results of command\n"; exit(1); } + if (-e "$jailrootdir$j_ofile") { + if (-l "$jailrootdir$j_ofile" || + system("cp $jailrootdir$j_ofile $ofile")) { + print STDERR "Could not copy back results of command\n"; + exit(1); + } + } } else { print STDERR "Jail '$jailtag' running. Root FS at '$jailrootdir'.\n"; } diff --git a/apt/genilib-jail.in b/apt/genilib-jail.in index bb14ca43c..fc0285767 100644 --- a/apt/genilib-jail.in +++ b/apt/genilib-jail.in @@ -321,8 +321,7 @@ if (system("mount -t nullfs -o ro $GENILIB $jailrootdir$GENILIB_MNT")) { my ($j_ifile,$j_ofile,$j_pfile); if ($action != 1) { my $tempdir = "/tmp/genilib/"; - if (!mkdir("$jailrootdir$tempdir", 0700) || - !chown($uid, $gid, "$jailrootdir$tempdir")) { + if (!mkdir("$jailrootdir$tempdir", 0700)) { print STDERR "Could not create geni-lib jail tempdir\n"; exit(1); } @@ -334,7 +333,8 @@ if ($action != 1) { msg("Stashing files"); if (system("cp -p $ifile $jailrootdir$j_ifile") || - ($pfile && system("cp -p $pfile $jailrootdir$j_pfile"))) { + ($pfile && system("cp -p $pfile $jailrootdir$j_pfile")) || + system("chown -R $uid:$gid $jailrootdir$tempdir")) { print STDERR "Could not populate jail\n"; exit(1); } @@ -419,10 +419,26 @@ if ($status) { } if ($action != 1) { - if (system("cp -p $jailrootdir$j_ofile $ofile")) { + # + # Oh the joys of running as root. Now we need to take away user + # permission from the jail directory (recall the user can access + # it from outside) and then verify that the source file isn't a + # symlink (a cheap-o realpath check). Our caller is responsible + # for defending the target file. + # + my $tempdir = "/tmp/genilib"; + if (-l "$jailrootdir$tempdir" || + chown(0, -1, "$jailrootdir$tempdir") != 1) { print STDERR "Could not copy back results of command\n"; exit(1); } + if (-e "$jailrootdir$j_ofile") { + if (-l "$jailrootdir$j_ofile" || + system("cp $jailrootdir$j_ofile $ofile")) { + print STDERR "Could not copy back results of command\n"; + exit(1); + } + } } else { print STDERR "Jail '$jailtag' running. Root FS at '$jailrootdir'.\n"; } -- GitLab