From: Jeff Dike <jdike@addtoit.com>
To: "Paolo 'Blaisorblade' Giarrusso" <blaisorblade@yahoo.it>
Cc: Andrew Morton <akpm@osdl.org>,
linux-kernel@vger.kernel.org,
user-mode-linux-devel@lists.sourceforge.net
Subject: Re: [PATCH 04/11] uml - hostfs: avoid possible escapes from hostfs=.
Date: Mon, 5 Mar 2007 17:03:34 -0500 [thread overview]
Message-ID: <20070305220334.GB7702@ccure.user-mode-linux.org> (raw)
In-Reply-To: <20070305204902.9072.1224.stgit@americanbeauty.home.lan>
On Mon, Mar 05, 2007 at 09:49:02PM +0100, Paolo 'Blaisorblade' Giarrusso wrote:
> From: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
>
> Avoid accepting things like -o .., -o dir/../../dir2, -o dir/../.. .
> This may be considered useless, but YMMV. I consider that this has a limited
> security value, exactly like disabling module support (in many case it is
> useful).
Two comments on this one:
> + return strstr(path, "/../") != NULL ||
> + strcmp(path, "..") == 0 ||
> + strncmp(path, "../", strlen("../")) == 0 ||
> + str_ends_with(path, "/..");
Minor style point - I'd be happier with more parens:
+ return (strstr(path, "/../") != NULL) ||
+ (strcmp(path, "..") == 0) ||
+ (strncmp(path, "../", strlen("../")) == 0) ||
+ str_ends_with(path, "/..");
C gets operator precedence wrong in one or two cases, so I just put parens
any place it might matter.
Second, there is code in externfs which does the same thing without
parsing paths which you might consider instead. It sees whether the
requested directory is outside the jail by cd-ing to it and then
repeatedly cd .. until it either reaches / or the jail root.
A copy is below for your reading pleasure.
Jeff
--
Work email - jdike at linux dot intel dot com
/* This does a careful check of whether it's being asked to mount something
* that's outside the hostfs jail. It does so by cd-ing to the requested
* directory and "cd .." until it either reaches / or the jail directory.
* If it reaches /, then we were outside the jail and we return -EPERM.
* I do things this way rather than trying to examine the passed-in root
* to avoid having to parse the string for instances of ".." and the like.
* Examining the string also doesn't help with symlinks that point outside
* the jail. Plus, if there's no parsing, there's no parser to try to exploit.
*/
static int escaping_jail(char *root)
{
struct uml_stat jail_inode;
struct uml_stat last_dir, cur_dir;
int save_pwd, err, escaping = -EPERM;
const char *path[] = { jail_dir, root, NULL };
char tmp[HOSTFS_BUFSIZE], *file;
err = os_stat_file(jail_dir, &jail_inode);
if(err)
goto out;
save_pwd = os_open_file(".", of_read(OPENFLAGS()), 0);
if(save_pwd < 0)
goto out;
file = get_path(path, tmp, sizeof(tmp));
if(file == NULL)
goto out_close;
err = os_change_dir(file);
if(err)
goto out_free;
err = os_stat_file(".", &cur_dir);
if(err)
goto out_back;
do {
if(SAME_INO(cur_dir, jail_inode)){
escaping = 0;
break;
}
err = os_change_dir("..");
if(err)
goto out_back;
last_dir = cur_dir;
err = os_stat_file(".", &cur_dir);
if(err)
goto out_back;
} while(!SAME_INO(last_dir, cur_dir));
err = os_fchange_dir(save_pwd);
if(err)
goto out_close;
free_path(file, tmp);
os_close_file(save_pwd);
return escaping;
out_back:
os_fchange_dir(save_pwd);
out_free:
free_path(file, tmp);
out_close:
os_close_file(save_pwd);
out:
return err;
}
next prev parent reply other threads:[~2007-03-05 22:12 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-05 20:42 [PATCH 00/11] Uml simple fixes Paolo 'Blaisorblade' Giarrusso
2007-03-05 20:48 ` [PATCH 01/11] uml: code convention cleanup of a file Paolo 'Blaisorblade' Giarrusso
2007-03-05 21:55 ` Jeff Dike
2007-03-05 20:49 ` [PATCH 02/11] uml - hostfs: fix double free Paolo 'Blaisorblade' Giarrusso
2007-03-05 20:49 ` [PATCH 03/11] uml - hostfs: make hostfs= option work as a jail, as intended Paolo 'Blaisorblade' Giarrusso
2007-03-05 20:49 ` [PATCH 04/11] uml - hostfs: avoid possible escapes from hostfs= Paolo 'Blaisorblade' Giarrusso
2007-03-05 22:03 ` Jeff Dike [this message]
2007-03-05 22:59 ` [uml-devel] " Blaisorblade
2007-03-05 23:07 ` Jeff Dike
2007-03-05 20:49 ` [PATCH 05/11] hostfs: rename some vars for clarity Paolo 'Blaisorblade' Giarrusso
2007-03-05 20:49 ` [PATCH 06/11] uml: fix a memory leak in the multicast driver Paolo 'Blaisorblade' Giarrusso
2007-03-05 20:49 ` [PATCH 07/11] uml: remove dead code about os_usr1_signal() and os_usr1_process() Paolo 'Blaisorblade' Giarrusso
2007-03-05 20:49 ` [PATCH 08/11] uml: mark both consoles as CON_ANYTIME Paolo 'Blaisorblade' Giarrusso
2007-03-05 20:49 ` [PATCH 09/11] uml: fix confusion irq early reenabling Paolo 'Blaisorblade' Giarrusso
2007-03-05 20:49 ` [PATCH 10/11] uml - activate_fd: return ENOMEM only when appropriate Paolo 'Blaisorblade' Giarrusso
2007-03-05 20:49 ` [PATCH 11/11] uml: fix errno usage Paolo 'Blaisorblade' Giarrusso
2007-03-05 22:06 ` [PATCH 00/11] Uml simple fixes Jeff Dike
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070305220334.GB7702@ccure.user-mode-linux.org \
--to=jdike@addtoit.com \
--cc=akpm@osdl.org \
--cc=blaisorblade@yahoo.it \
--cc=linux-kernel@vger.kernel.org \
--cc=user-mode-linux-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox