Thread: Re: [uml-user] [PATCH 1/2] um: Set secure access mode for temporary file

Brought to you by: blaisorblade, derrichard, jdike, rusty

user-mode-linux-user

Re: [uml-user] [PATCH 1/2] um: Set secure access mode for temporary file

From: Richard W. <ri...@no...> - 2015-11-28 21:40:37

Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
> Replace the default insecure mode 0777 with 0700 for temporary file.
> 
> Prohibit other users to change the executable mapped code.

Hmm, isn't the tmp file already unlinked at this stage?

Thanks,
//richard

Re: [uml-user] [PATCH 2/2] um: Use race-free temporary file creation

From: Richard W. <ri...@no...> - 2015-11-28 22:07:19

Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
> Open the memory mapped file with the O_TMPFILE flag when available.
> 
> Signed-off-by: Mickaël Salaün <mi...@di...>
> ---
>  arch/um/os-Linux/mem.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c
> index 798aeb4..fe52e2d 100644
> --- a/arch/um/os-Linux/mem.c
> +++ b/arch/um/os-Linux/mem.c
> @@ -106,6 +106,18 @@ static int __init make_tempfile(const char *template)
>  		}
>  	}
>  
> +#ifdef O_TMPFILE
> +	fd = open(tempdir, O_CLOEXEC | O_RDWR | O_EXCL | O_TMPFILE, 0700);
> +	/*
> +	 * If the running system does not support O_TMPFILE flag then retry
> +	 * without it.
> +	 */
> +	if (fd != -1 || (errno != EINVAL && errno != EISDIR &&

Why are you handling EISDIR?

> +			errno != EOPNOTSUPP))
> +		return fd;
> +	errno = 0;

Why are you resetting errno?

Thanks,
//richard

Re: [uml-user] [PATCH 1/2] um: Set secure access mode for temporary file

From: Richard W. <ri...@no...> - 2015-11-28 22:55:33

Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
> 
> On 28/11/2015 22:40, Richard Weinberger wrote:
>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>>
>>> Prohibit other users to change the executable mapped code.
>>
>> Hmm, isn't the tmp file already unlinked at this stage?
>>
> 
> Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description.

Yes, someone can open it before the unlink. But you change the file mode after that.
How does it improve the situation? The attacker has already the file handle.

Thanks,
//richard

Re: [uml-user] [PATCH 2/2] um: Use race-free temporary file creation

From: Richard W. <ri...@no...> - 2015-11-28 22:59:11

Am 28.11.2015 um 23:56 schrieb Mickaël Salaün:
> 
> On 28/11/2015 23:07, Richard Weinberger wrote:
>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>> Open the memory mapped file with the O_TMPFILE flag when available.
>>>
>>> Signed-off-by: Mickaël Salaün <mi...@di...>
>>> ---
>>>  arch/um/os-Linux/mem.c | 12 ++++++++++++
>>>  1 file changed, 12 insertions(+)
>>>
>>> diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c
>>> index 798aeb4..fe52e2d 100644
>>> --- a/arch/um/os-Linux/mem.c
>>> +++ b/arch/um/os-Linux/mem.c
>>> @@ -106,6 +106,18 @@ static int __init make_tempfile(const char *template)
>>>  		}
>>>  	}
>>>  
>>> +#ifdef O_TMPFILE
>>> +	fd = open(tempdir, O_CLOEXEC | O_RDWR | O_EXCL | O_TMPFILE, 0700);
>>> +	/*
>>> +	 * If the running system does not support O_TMPFILE flag then retry
>>> +	 * without it.
>>> +	 */
>>> +	if (fd != -1 || (errno != EINVAL && errno != EISDIR &&
>>
>> Why are you handling EISDIR?
> 
> I follow the man page for open [1], I think it was a workaround needed for some kernel versions just after the O_TMPFILE was added but before the support for EOPNOTSUPP.
> We may need to add the EACCES too for some version of glibc [2, 3]?

Makes sense! :)

> 1. http://man7.org/linux/man-pages/man2/openat.2.html#BUGS
> 2. Commit 69a91c237ab0ebe4e9fdeaf6d0090c85275594ec and https://sourceware.org/bugzilla/show_bug.cgi?id=17523
> 3. https://bugs.gentoo.org/529044
> 
>>
>>> +			errno != EOPNOTSUPP))
>>> +		return fd;
>>> +	errno = 0;
>>
>> Why are you resetting errno?
> 
> It's to ignore/reset the error code from open, but it may not be needed because of the next call to malloc?

But then you'd have to reset errno after every syscall. :-)

Thanks,
//richard

Re: [uml-user] [PATCH 1/2] um: Set secure access mode for temporary file

From: Richard W. <ri...@no...> - 2015-11-28 23:11:48

Am 29.11.2015 um 00:00 schrieb Mickaël Salaün:
> 
> 
> On 28/11/2015 23:55, Richard Weinberger wrote:
>> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
>>>
>>> On 28/11/2015 22:40, Richard Weinberger wrote:
>>>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>>>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>>>>
>>>>> Prohibit other users to change the executable mapped code.
>>>>
>>>> Hmm, isn't the tmp file already unlinked at this stage?
>>>>
>>>
>>> Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description.
>>
>> Yes, someone can open it before the unlink. But you change the file mode after that.
>> How does it improve the situation? The attacker has already the file handle.
> 
> The attacker could have the file handle only in a read-only mode, which is a bit different than being able to write and execute arbitrary code thanks to a file descriptor mapped RWX :)

Fair point. Please describe this in detail in the patch changelog. :-)

Thanks,
//richard