diff options
| author | Kaz Kylheku <kaz@kylheku.com> | 2022-07-30 11:56:19 -0700 |
|---|---|---|
| committer | Kaz Kylheku <kaz@kylheku.com> | 2022-07-30 11:56:19 -0700 |
| commit | aa35108d6f77f56627c0561e4b48361ac298e123 (patch) | |
| tree | 5cc5c35789a631ec2f717da3c4802647a0cd14c0 | |
| parent | 2f865fd3e2cd871387de67394013b1137142357c (diff) | |
| download | safepath-aa35108d6f77f56627c0561e4b48361ac298e123.tar.gz safepath-aa35108d6f77f56627c0561e4b48361ac298e123.tar.bz2 safepath-aa35108d6f77f56627c0561e4b48361ac298e123.zip | |
Ban file symlinks under /proc for all users.
Travis Ormandy informs of an attack via /proc/<pid>/fd/<n>
involving an unlinked file. When the fd link refers to a file
"/path/to/foo", that file can be unlinked. The link then
spontaneously changes to "/path/to/foo (deleted)". A user
who doesn't have permissions to /proc/<pid>/fd can
perpetrate this deletion via unlink, relying on their
permission to unlink /path/to/foo, which is an unrelated
path.
* safepath.c (abs_path_check): Do not call geteuid(); perform
the check unconditionally, regardless of the effective ID
of the caller. This change means that safepath_check does
not trust paths generated by Bash process substitution on
Linux, even for non-root users. Bash should be built to
use named FIFOs, even on Linux, and avoid the dangerous
/dev/fd -> /proc/self/fd mechanism.
| -rw-r--r-- | safepath.c | 11 |
1 files changed, 2 insertions, 9 deletions
@@ -208,16 +208,9 @@ static int abs_path_check(const char *abspath) * Non-root cannot access that symlink, and so is safe from it. */ char *sabspath = simplify_path(abspath); - - if (geteuid() == 0) { - if (regexec(&bad_proc_rx, sabspath, 0, NULL, 0) == 0) { - free(sabspath); - return 0; - } - } - + int res = regexec(&bad_proc_rx, sabspath, 0, NULL, 0); free(sabspath); - return 1; + return res != 0; } static int safepath_err(int eno) |