OT Re: pam_chroot-0.8 released
John Newbigin
jn at it.swin.edu.au
Thu May 6 04:23:33 UTC 2004
Solar Designer wrote:
> On Wed, May 05, 2004 at 12:28:34PM +1000, John Newbigin wrote:
>
>>Here is a more complete check procedure.
>
>
> Yes, a check of all path components is preferable.
>
>
>>I have used this code so I hope it is secure :)
>
>
> Unfortunately, no.
Thanks for the feedback. I have modified the procedure based on your
suggestions. Obviously it can be modified as required.
John.
int verify_socket_path(char *name)
{
int i = 0;
char x;
int result = 0;
struct stat buf;
name = strdup(name);
if(!name)
{
return -1;
}
while(name[i])
{
if(name[i] == '/')
{
x = name[i + 1];
name[i + 1] = 0;
//printf("path = %s\n", name);
stat(name, &buf);
//printf("uid = %d gid = %d\n", buf.st_uid, buf.st_gid);
if(buf.st_uid != 0)
{
result = -1;
fprintf(stderr, "directory %s not owned by root\n", name);
}
if(buf.st_mode & S_IWGRP)
{
result = -1;
fprintf(stderr, "group write access to %s\n", name);
}
if(buf.st_mode & S_IWOTH)
{
result = -1;
fprintf(stderr, "other write access to %s\n", name);
}
name[i + 1] = x;
}
i++;
}
free(name);
return result;
}
>
>
>> if(buf.st_uid != 0)
>> {
>> // make sure there is no user write access
>> if(buf.st_mode & S_IWUSR)
>> {
>> result = -1;
>> fprintf(stderr, "non root user
>>has write access to %s\n", name);
>> }
>> }
>
>
> If a non-root user owns a directory, the user should be assumed to
> have write access to it. You must not check for S_IWUSR, that is
> largely irrelevant. This is because the user can chmod a directory
> he owns after your check has run.
>
>
>> if(buf.st_gid != 0)
>> {
>> // make sure there is no group write access
>> if(buf.st_mode & S_IWGRP)
>> {
>> result = -1;
>> fprintf(stderr, "non root group
>>has write access to %s\n", name);
>> }
>> }
>
>
> And this check is buggy in "the opposite" way: you must not check for
> GID 0 because it is not special to the kernel in any way and generally
> there's no valid reason to consider it trusted.
>
>
>> // make sure there is no group write access
>> if(buf.st_mode & S_IWOTH)
>> {
>> result = -1;
>> fprintf(stderr, "all users have write
>>access to %s\n", name);
>> }
>
>
> This one is OK, but I suggest that you combine it with the S_IWGRP
> check above to simplify the code. I don't see much need to have
> different error messages for the three cases.
>
--
John Newbigin - Computer Systems Officer
School of Information Technology
Swinburne University of Technology
Melbourne, Australia
http://www.it.swin.edu.au/staff/jnewbigin
More information about the Pam-list
mailing list