Discussion summary: Mock security
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Tue Jun 6 23:17:25 UTC 2006
Michael_E_Brown at Dell.com writes:
> Problem area: do_mknod()
> passes unchecked user data to the mknod command. User can use
> the "-m" to set insecure permissions on, for example, a hard disk device
> node.
>
> Proposed Solution:
> Do not pass user-supplied input to mknod. Make an array of
> allowed devices, along with major/minor and permissions. Mock-helper
> mknod should only be passed the device name, and it should look up the
> major/minor/perms from the array.
Other solution:
* do not use mknod(2) but bind-mount a read-only (e.g. ramfs) filesystem
into dev/; pseudo C-code:
| root_fd=open("/");
| chroot(ROOT)
| chdir("/dev");
| new_fd=open(".");
| fchdir(root_fd);
| chroot(".");
| fchdir(new_fd);
| mount(DEV_IN_TRUSTED_DIR, ".", "none", MS_BIND);
> Problem area: do_chroot()
> passes unchecked user data to chroot command. User can easily
> get a shell, and, for example, create device nodes.
>
> Proposed Solution:
> Do not pass user-supplied data to chroot. Make an array of
> allowed commands, mock.py should just pass which command it wants to run
> from the list. Any required user input should be filtered for
> [A-Za-z0-9,+\-.], or similarly strict regexp. No extra options should be
> allowed to the command (for example, no input starting with '-')
can be always exploited; e.g. by placing an own version of an allowed
command into the chroot
> Problem area: do_rm()
> does not check all user input. Only checks argv[2] and argv[3],
> yet passes all args received to rm. User can add new options, as long as
> they come after argv[3]. User could remove system files by passing as
> argv[4] or later.
>
> Proposed solution:
> Add check to allow only one argument. Force '-rf' argument.
> Perform strict validation on the one argument passed.
Better solution:
* implement 'rm -rf' in C and do it after a chroot(2)
> Problem area: do_mount()
> does not check all user input. User can pass extra args that
> will be passed to mount unchecked.
>
> Proposed solution:
> array of allowed mounts.
Better solution:
* do not use /bin/mount but mount(2) in a way like in the example above
> Problem area: do_unpack()
> does not check that tarball is from secure directory. Could
> contain insecure /dev/ files (see do_mknod())
Better solution:
* open tarball in a secure way and redirect the opened fd into tar's
stdin
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20060607/67641c22/attachment.sig>
More information about the Fedora-buildsys-list
mailing list