Commit 30c848ee authored by Mike Hibler's avatar Mike Hibler

Deal with attempts to exploit the fact that we run as root and access files.

parent 88a4a831
...@@ -333,8 +333,7 @@ if (system("mount -t nullfs -o ro $GENILIB $jailrootdir$GENILIB_MNT")) { ...@@ -333,8 +333,7 @@ if (system("mount -t nullfs -o ro $GENILIB $jailrootdir$GENILIB_MNT")) {
my ($j_ifile,$j_ofile,$j_pfile); my ($j_ifile,$j_ofile,$j_pfile);
if ($action != 1) { if ($action != 1) {
my $tempdir = "/tmp/genilib/"; my $tempdir = "/tmp/genilib/";
if (!mkdir("$jailrootdir$tempdir", 0700) || if (!mkdir("$jailrootdir$tempdir", 0700)) {
!chown($uid, $gid, "$jailrootdir$tempdir")) {
print STDERR "Could not create geni-lib jail tempdir\n"; print STDERR "Could not create geni-lib jail tempdir\n";
exit(1); exit(1);
} }
...@@ -346,14 +345,12 @@ if ($action != 1) { ...@@ -346,14 +345,12 @@ if ($action != 1) {
msg("Stashing files"); msg("Stashing files");
if (system("cp -p $ifile $jailrootdir$j_ifile") || if (system("cp -p $ifile $jailrootdir$j_ifile") ||
($pfile && system("cp -p $pfile $jailrootdir$j_pfile"))) { ($pfile && system("cp -p $pfile $jailrootdir$j_pfile")) ||
system("chown -R $uid:$gid $jailrootdir$tempdir")) {
print STDERR "Could not populate jail\n"; print STDERR "Could not populate jail\n";
exit(1); exit(1);
} }
#
# XXX adjust the environment for the portal module to reflect the jail.
#
# #
# XXX adjust the environment for the portal module to reflect the jail. # XXX adjust the environment for the portal module to reflect the jail.
# #
...@@ -428,10 +425,26 @@ if ($status) { ...@@ -428,10 +425,26 @@ if ($status) {
} }
if ($action != 1) { if ($action != 1) {
if (system("cp -p $jailrootdir$j_ofile $ofile")) { #
# Oh the joys of running as root. Now we need to take away user
# permission from the jail directory (recall the user can access
# it from outside) and then verify that the source file isn't a
# symlink (a cheap-o realpath check). Our caller is responsible
# for defending the target file.
#
my $tempdir = "/tmp/genilib";
if (-l "$jailrootdir$tempdir" ||
chown(0, -1, "$jailrootdir$tempdir") != 1) {
print STDERR "Could not copy back results of command\n"; print STDERR "Could not copy back results of command\n";
exit(1); exit(1);
} }
if (-e "$jailrootdir$j_ofile") {
if (-l "$jailrootdir$j_ofile" ||
system("cp $jailrootdir$j_ofile $ofile")) {
print STDERR "Could not copy back results of command\n";
exit(1);
}
}
} else { } else {
print STDERR "Jail '$jailtag' running. Root FS at '$jailrootdir'.\n"; print STDERR "Jail '$jailtag' running. Root FS at '$jailrootdir'.\n";
} }
......
...@@ -321,8 +321,7 @@ if (system("mount -t nullfs -o ro $GENILIB $jailrootdir$GENILIB_MNT")) { ...@@ -321,8 +321,7 @@ if (system("mount -t nullfs -o ro $GENILIB $jailrootdir$GENILIB_MNT")) {
my ($j_ifile,$j_ofile,$j_pfile); my ($j_ifile,$j_ofile,$j_pfile);
if ($action != 1) { if ($action != 1) {
my $tempdir = "/tmp/genilib/"; my $tempdir = "/tmp/genilib/";
if (!mkdir("$jailrootdir$tempdir", 0700) || if (!mkdir("$jailrootdir$tempdir", 0700)) {
!chown($uid, $gid, "$jailrootdir$tempdir")) {
print STDERR "Could not create geni-lib jail tempdir\n"; print STDERR "Could not create geni-lib jail tempdir\n";
exit(1); exit(1);
} }
...@@ -334,7 +333,8 @@ if ($action != 1) { ...@@ -334,7 +333,8 @@ if ($action != 1) {
msg("Stashing files"); msg("Stashing files");
if (system("cp -p $ifile $jailrootdir$j_ifile") || if (system("cp -p $ifile $jailrootdir$j_ifile") ||
($pfile && system("cp -p $pfile $jailrootdir$j_pfile"))) { ($pfile && system("cp -p $pfile $jailrootdir$j_pfile")) ||
system("chown -R $uid:$gid $jailrootdir$tempdir")) {
print STDERR "Could not populate jail\n"; print STDERR "Could not populate jail\n";
exit(1); exit(1);
} }
...@@ -419,10 +419,26 @@ if ($status) { ...@@ -419,10 +419,26 @@ if ($status) {
} }
if ($action != 1) { if ($action != 1) {
if (system("cp -p $jailrootdir$j_ofile $ofile")) { #
# Oh the joys of running as root. Now we need to take away user
# permission from the jail directory (recall the user can access
# it from outside) and then verify that the source file isn't a
# symlink (a cheap-o realpath check). Our caller is responsible
# for defending the target file.
#
my $tempdir = "/tmp/genilib";
if (-l "$jailrootdir$tempdir" ||
chown(0, -1, "$jailrootdir$tempdir") != 1) {
print STDERR "Could not copy back results of command\n"; print STDERR "Could not copy back results of command\n";
exit(1); exit(1);
} }
if (-e "$jailrootdir$j_ofile") {
if (-l "$jailrootdir$j_ofile" ||
system("cp $jailrootdir$j_ofile $ofile")) {
print STDERR "Could not copy back results of command\n";
exit(1);
}
}
} else { } else {
print STDERR "Jail '$jailtag' running. Root FS at '$jailrootdir'.\n"; print STDERR "Jail '$jailtag' running. Root FS at '$jailrootdir'.\n";
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment