From aa35108d6f77f56627c0561e4b48361ac298e123 Mon Sep 17 00:00:00 2001 From: Kaz Kylheku Date: Sat, 30 Jul 2022 11:56:19 -0700 Subject: Ban file symlinks under /proc for all users. Travis Ormandy informs of an attack via /proc//fd/ involving an unlinked file. When the fd link refers to a file "/path/to/foo", that file can be unlinked. The link then spontaneously changes to "/path/to/foo (deleted)". A user who doesn't have permissions to /proc//fd can perpetrate this deletion via unlink, relying on their permission to unlink /path/to/foo, which is an unrelated path. * safepath.c (abs_path_check): Do not call geteuid(); perform the check unconditionally, regardless of the effective ID of the caller. This change means that safepath_check does not trust paths generated by Bash process substitution on Linux, even for non-root users. Bash should be built to use named FIFOs, even on Linux, and avoid the dangerous /dev/fd -> /proc/self/fd mechanism. --- safepath.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/safepath.c b/safepath.c index 270e486..b66db65 100644 --- a/safepath.c +++ b/safepath.c @@ -208,16 +208,9 @@ static int abs_path_check(const char *abspath) * Non-root cannot access that symlink, and so is safe from it. */ char *sabspath = simplify_path(abspath); - - if (geteuid() == 0) { - if (regexec(&bad_proc_rx, sabspath, 0, NULL, 0) == 0) { - free(sabspath); - return 0; - } - } - + int res = regexec(&bad_proc_rx, sabspath, 0, NULL, 0); free(sabspath); - return 1; + return res != 0; } static int safepath_err(int eno) -- cgit v1.2.3