Discussion summary: Mock security

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Tue Jun 6 23:17:25 UTC 2006 

Michael_E_Brown at Dell.com writes:

> Problem area: do_mknod()
> 	passes unchecked user data to the mknod command. User can use
> the "-m" to set insecure permissions on, for example, a hard disk device
> node.
>
> Proposed Solution:
> 	Do not pass user-supplied input to mknod. Make an array of
> allowed devices, along with major/minor and permissions. Mock-helper
> mknod should only be passed the device name, and it should look up the
> major/minor/perms from the array.

Other solution:

* do not use mknod(2) but bind-mount a read-only (e.g. ramfs) filesystem
  into dev/; pseudo C-code:

  | root_fd=open("/");
  | chroot(ROOT)
  | chdir("/dev");
  | new_fd=open(".");
  | fchdir(root_fd);
  | chroot(".");
  | fchdir(new_fd);
  | mount(DEV_IN_TRUSTED_DIR, ".", "none", MS_BIND);


> Problem area: do_chroot()
> 	passes unchecked user data to chroot command. User can easily
> get a shell, and, for example, create device nodes.
>
> Proposed Solution:
> 	Do not pass user-supplied data to chroot. Make an array of
> allowed commands, mock.py should just pass which command it wants to run
> from the list. Any required user input should be filtered for
> [A-Za-z0-9,+\-.], or similarly strict regexp. No extra options should be
> allowed to the command (for example, no input starting with '-')

can be always exploited; e.g. by placing an own version of an allowed
command into the chroot


> Problem area: do_rm()
> 	does not check all user input. Only checks argv[2] and argv[3],
> yet passes all args received to rm. User can add new options, as long as
> they come after argv[3]. User could remove system files by passing as
> argv[4] or later.
>
> Proposed solution:
> 	Add check to allow only one argument. Force '-rf' argument.
> Perform strict validation on the one  argument passed.

Better solution:

* implement 'rm -rf' in C and do it after a chroot(2)


> Problem area: do_mount()
> 	does not check all user input. User can pass extra args that
> will be passed to mount unchecked.
>
> Proposed solution:
> 	array of allowed mounts.

Better solution:

* do not use /bin/mount but mount(2) in a way like in the example above


> Problem area: do_unpack()
> 	does not check that tarball is from secure directory. Could
> contain insecure /dev/ files (see do_mknod())

Better solution:

* open tarball in a secure way and redirect the opened fd into tar's
  stdin



Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20060607/67641c22/attachment.sig>

More information about the Fedora-buildsys-list mailing list