From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id k7VFlA1D005571 for ; Thu, 31 Aug 2006 11:47:10 -0400 Received: from mail.atsec.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id k7VFkWi7010066 for ; Thu, 31 Aug 2006 15:46:32 GMT Date: Thu, 31 Aug 2006 10:46:35 -0500 From: Klaus Weidner To: Joshua Brindle Cc: Karl MacMillan , Joshua Brindle , russell@coker.com.au, selinux@tycho.nsa.gov, Stephan Mueller Subject: Re: type transitioning script race condition? Message-ID: <20060831154635.GC12307@w-m-p.com> References: <20060830223937.GB12307@w-m-p.com> <200608310918.03263.russell@coker.com.au> <44F6539E.7090800@gentoo.org> <1157030632.3106.7.camel@localhost.localdomain> <1157032383.24429.90.camel@twoface.columbia.tresys.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <1157032383.24429.90.camel@twoface.columbia.tresys.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Thu, Aug 31, 2006 at 09:53:03AM -0400, Joshua Brindle wrote: > On Thu, 2006-08-31 at 09:23 -0400, Karl MacMillan wrote: > > If you write a C program that wrapper both issues should be greatly > > mitigated because you are no longer gaining privilege on the script > > execution - see > > http://svn.python.org/view/python/trunk/Misc/setuid-prog.c?rev=11583&view=auto. I've been meaning to do this for semanage for a while but haven't gotten to it yet. > > The one you referenced is specific to python but I'd like something more > general, basically what I'm envisioning is a wrapper that you symlink > all your interpreters to: > > /usr/bin/perl -> /usr/lib/wrapper/envcleaner (or whatever) > same with python, php, etc > > and when the wrapper is run it looks at how it was run argv[0] and > checks a config file, something like: > > /usr/bin/python: > (from the above link) > bad_vars: LD_* _RLD* PYTHON IFS CDPATH ENV > > or whatever, something generic that we can use to protect any kind of > interpreted script, it could check for uid changes as well as do an > atsecure check to decide if it needs to cleanse the environment. I think this is the wrong way around - it doesn't protect against the race, and a perl or pythin script can easily clean its own environment and doesn't need a helper program to do that. The traditional method is to create an executable file that launches a specific script, and make that executable suid, type transitioning or whatever. This takes care of some issues such as LD_* variables automatically. The python wrapper Karl linked to does part of the job, but if you're paranoid there are more things you need to protect against: - other environment variables may be dangerous, for example program "foo" launched indirectly from the script may look at a FOORC variable to find its config file. In general it's safer to completely wipe the environment and only retain specific variables from a whitelist. - set up file descriptors - close extra ones, and make sure 0/1/2 are open. A nasty hack is closing fd 2 (stderr) before launching the trusted app. The application opens a file for writing, gets fd 2 from the OS from that, and now anything it's intending to write to stderr such as warning or progress messages will also go to that file. - make sure that resource limits are reasonable. Another hack involved setting the max file size to a very low value and calling passwd(1), which then truncated /etc/shadow due to the limit. These things should be done for all suid/privileged programs, not just scripts, because they may be using system(3) or equivalent to call a program via the shell which could then get contaminated by $IFS or other malicious settings. -Klaus -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.