[PATCH] autocache patche -- resend, updated
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Mon May 29 22:40:05 UTC 2006
Michael_E_Brown at dell.com (Michael E Brown) writes:
>> * a
>>
>> | check_dir(<dir>);
>> | operate_in_dir(<dir>); // tar ...
>
> Dir always has to be under /var/lib/mock/. It is not possible for
> unprivileged users to create symlinks here.
/var/lib/mock is writable by everybody in the 'mock' group.
> I suppose the symlink attack could be done by somebody in the mock
> group.
> 1) mock -r CFG some.src.rpm #to force creation of builddir with
> ownership by me.
> 2) cd /var/lib/mock/CFG/root/builddir/
> 3) ln -s / blastroot
> 4) mock-helper unpack /var/lib/mock/CFG/root/builddir/blastroot
> my-bad.tar.gz
>
> I believe that the fix for this would be to add a check to ensure that
> the tarball is always sourced from /var/lib/mock/root-cache/ and that
> the perms are correct. Feedback?
right thing would be, to open the tarball in the helper, check it and
pipe it into tar's stdin. See
http://ensc.de/mock/mock-0.4-cache.diff
It protects against all symlink attacks until the 'tar' run.
>> opens always a window for symlink attacks. Better do
>>
>> | chdirSafe(<dir);
>> | operate_in_dir("."); // tar ...
>>
>> The security of 'tar' operations is another question; extraction can
>> be made secure by extracting into a private dir and doing an atomic
>> rename(2) then. ATM, I do not see a way how to implement tarball
>> creation securely.
>
> Make sure we are always tarring /var/lib/mock/CFG/root and always place
> the tar under /var/lib/mock/root-cache.
I mean the following attack
| tar attacker
|
| check whether 'etc' is a dir
| rm -rf etc
| ln -s /etc etc
| chdir('etc')
| pack content
I simple do not know, whether the 'chdir' in tar is done in a secure
way (e.g. lstat(dir, &exp_st) && chdir(dir) && stat(".", &cur_st) &&
compare(exp_st, cur_st))
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20060530/9326b469/attachment.sig>
More information about the Fedora-buildsys-list
mailing list