Date: Fri, 2 Dec 2011 05:30:44 +0400 From: "Dmitry V. Levin" <ldv@...linux.org> To: owl-dev@...ts.openwall.com Subject: Re: Re: [owl-cvs] Owl/packages/rpm On Fri, Dec 02, 2011 at 05:07:17AM +0400, Solar Designer wrote: > On Fri, Dec 02, 2011 at 01:40:04AM +0400, Dmitry V. Levin wrote: > > On Mon, Jul 25, 2011 at 05:35:15AM +0400, Owl CVS (solar) wrote: > > > rpm-4.2-owl-remove-unsafe-perms.diff > > > Log Message: > > > Added a patch to remove unsafe file permissions (chmod'ing files to 0) on > > > package removal or upgrade to prevent continued access to such files via > > > hard-links possibly created by a user (CVE-2005-4889, CVE-2010-2059). > > > > There is a risk to get into big trouble with this change, because > > hardlinked files could be legally created by packages without any user > > intervention. For example, our screen package hardlinks > > /usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter to > > /usr/libexec/screen/, and only by sheer luck (we happily have a %preun > > script that removes these /usr/libexec/screen/* files) screen package > > removal does not lead to zeroing permissions of > > /usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter. > > Those who rely on rpm to remove %ghost files may some day be trapped by > > this hardening feature. > > I actually got trapped after porting it to Sisyphus where permissions of > > several system config files including /etc/nsswitch.conf were zeroed after > > removing a chrooted daemon. > > Ouch. What alternative do you recommend? A more limited hardening > change like in upstream RPM 4? Or maybe something inbetween - limiting > it to SUIDs/SGIDs and device files? (Upstream RPM 4 limits this to > SUIDs/SGIDs only, leaving device files unprotected.) In Sisyphus, to mitigate the effect, I relaxed the hardening by limiting zeroing permissions of regular files to set[ug]id executables (devices and other non-regular files thus remain the subject of permissions zeroing): http://git.altlinux.org/gears/r/..git?p=rpm.git;a=commitdiff;h=3946369bfbc2e47f0742a397362c23c9aeafd03f But the example of 'screen' shows that even a set[ug]id executable can be a (rare?) subject for legal hardlinking, which leaves us nothing but workarounds like manual files removal in %preun scripts. If we could distinguish %ghost files from others on removal, that would really help us to fix the problem. -- ldv Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.