[PATCH] autocache patche -- resend, updated

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Mon May 29 22:40:05 UTC 2006 

Michael_E_Brown at dell.com (Michael E Brown) writes:

>> * a
>> 
>>   | check_dir(<dir>);
>>   | operate_in_dir(<dir>);      // tar ...
>
> Dir always has to be under /var/lib/mock/. It is not possible for
> unprivileged users to create symlinks here.

/var/lib/mock is writable by everybody in the 'mock' group.


> I suppose the symlink attack could be done by somebody in the mock
> group.
>    1) mock -r CFG some.src.rpm    #to force creation of builddir with
> ownership by me.
>    2) cd /var/lib/mock/CFG/root/builddir/
>    3) ln -s /  blastroot
>    4) mock-helper unpack /var/lib/mock/CFG/root/builddir/blastroot
> my-bad.tar.gz
>
> I believe that the fix for this would be to add a check to ensure that
> the tarball is always sourced from /var/lib/mock/root-cache/ and that
> the perms are correct. Feedback?

right thing would be, to open the tarball in the helper, check it and
pipe it into tar's stdin. See

                http://ensc.de/mock/mock-0.4-cache.diff

It protects against all symlink attacks until the 'tar' run.


>>   opens always a window for symlink attacks. Better do
>> 
>>   | chdirSafe(<dir);
>>   | operate_in_dir(".");        // tar ...
>> 
>>   The security of 'tar' operations is another question; extraction can
>>   be made secure by extracting into a private dir and doing an atomic
>>   rename(2) then. ATM, I do not see a way how to implement tarball
>>   creation securely.
>
> Make sure we are always tarring /var/lib/mock/CFG/root and always place
> the tar under /var/lib/mock/root-cache.

I mean the following attack

|   tar                                       attacker
| 
| check whether 'etc' is a dir
|                                           rm -rf etc
|                                           ln -s /etc etc
| chdir('etc')
| pack content

I simple do not know, whether the 'chdir' in tar is done in a secure
way (e.g. lstat(dir, &exp_st) && chdir(dir) && stat(".", &cur_st) &&
compare(exp_st, cur_st))




Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20060530/9326b469/attachment.sig>

More information about the Fedora-buildsys-list mailing list