Date: Thu, 23 Apr 2015 20:24:41 +0200 From: Jann Horn <jann@...jh.net> To: oss-security@...ts.openwall.com Subject: Re: open(2) with side effects On Thu, Apr 23, 2015 at 03:08:43PM +0200, Florian Weimer wrote: > How common are file names on Linux which, when just opened and closed > (maybe with fstat or fgetattr inbetween), trigger side effects, such as > tape rewind? > > Do we still have to guard against that? Or is that a thing of the past? Well, opening anything creates an inotify event that can be observed by anyone with read access to the thing. So if I can make you open a symlink to "/root/.ssh/../../tmp/foobar" with root privileges, I can observe whether an IN_OPEN event happens on /tmp/foobar and deduce from that whether a folder /root/.ssh exists. As far as I know, there is no way to prevent that notification. So the fix is to never follow symlinks, or in other words, never use paths including slashes in syscalls that take a path and only open directories using "open(..., O_NOFOLLOW);fchdir(...)", I guess. (You can do the same attack by polling st_atime instead of using inotify, but that might not work depending on the mount options and whether O_NOATIME was used.) > At least before containers, the risk is greatly reduced because /dev is > a separate file system these days, so you can only use symbolic links, As you said, containers complicate finding out where you are a bit, even if you're not inside one - see the recently updated getcwd(3) manpage (<http://man7.org/linux/man-pages/man2/getcwd.2.html>): If the current directory is not below the root directory of the current process (e.g., because the process set a new filesystem root using chroot(2) without changing its current directory into the new root), then, since Linux 2.6.36, the returned path will be prefixed with the string "(unreachable)". Such behavior can also be caused by an unprivileged user by changing the current directory into another mount namespace. When dealing with paths from untrusted sources, callers of these functions should consider checking whether the returned path starts with '/' or '(' to avoid misinterpreting an unreachable path as a relative path. But yeah, that also only applies if you follow symlinks somehow. > and those are more straightforward to deal with (hard links need O_PATH > for a race- and side-effect-free link count check). You can do a race-free link count check? How does that work? As far as I know, an attacker could always just remove the dentry through which you're accessing the inode before the fstat() and put it back in place after fstat(). Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.