Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 18 Oct 2017 16:55:07 -0400
From: Robert Watson <robertcwatson1@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-8805: Unsafe symlinks not filtered in
 Debian mirror script ftpsync

May be that this convo should be migrated somewhere else, but I'd really
like to understand how this has anything to do with symlinks. Been
programming Unix/Linux for 30 years but now need to be a real SysAdmin so
need to correct my misconceptions.

Removing the ability for rsync to copy symlinks pointing to targets outside
the mirror tree would greatly cripple it. I need to understand how the
danger is worth the loss of this functionality.

Can you or anyone help me with this?





*Trust in truth keeps hope aliverobertcwatson1@...il.com
<robertcwatson1@...il.com>webmaster@...icchorale.org
<webmaster@...icchorale.org>alpha.docsalvager.info
<http://alpha.docsalvager.info>www.CivicChorale.org
<http://www.CivicChorale.org>*

On Wed, Oct 18, 2017 at 9:30 AM, Ben Tasker <ben@...tasker.co.uk> wrote:

> On Wed, Oct 18, 2017 at 1:55 PM, Robert Watson <robertcwatson1@...il.com>
> wrote:
>
> > Since security is determined by file and directory permissions and
> > ownership, not by symlinks, wouldn't the fact that a malicious user did
> not
> > have permissions to access the symlink's target file/directory prevent
> any
> > harm?
> >
>
> If I'm reading the original correctly, then the user that will access the
> target will be the user your HTTP daemon runs as (so, for sake of example,
> nginx).
>
> There's stuff that will be protected by permissions (for example, you
> shouldn't be able to pull down /etc/shadow - so long as nginx/apache isn't
> running as root), but there are other files that you might consider
> sensitive(ish). Pulling down /etc/passwd would give you a list of known
> good usernames to better target brute-force attempts (for example). Or
> perhaps using it to grab the config file of some dynamic site on the same
> server etc.
>
> So there is potential scope for abuse there, and others probably have
> better imaginations than I do.
>
> The "nice" thing about it is: if an attacker gets access to the upstream
> mirror they still may not be able to mess with the packages themselves (as
> they're signed), but with this they can still potentially be hostile to
> downstream.
>
>
> --
> Ben Tasker
> https://www.bentasker.co.uk
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.