* [PATCH 0/1] pseudo permissions: better fchmodat, mask out write bits @ 2014-05-19 21:51 Peter Seebach 2014-05-19 21:51 ` [PATCH 1/1] pseudo: handle fchmodat better, mask out unwanted " Peter Seebach 0 siblings, 1 reply; 6+ messages in thread From: Peter Seebach @ 2014-05-19 21:51 UTC (permalink / raw) To: openembedded-core (Sorry if this ends up getting duplicated, had mail server issues, and there may be deferred copies floating around somewhere.) Two changes: 1. Report failures from calling fchmodat with AT_SYMLINK_NOFOLLOW, because otherwise GNU tar won't set modes as well as we would like it to. (No effect on generated filesystems, I think, just on the underlying local filesystem.) 2. Mask out write bits for non-user in the real filesystem, so other users can't add stuff to the mode 777 directories in your rootfs. The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873: gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100) are available in the git repository at: git://git.yoctoproject.org/poky-contrib sees/pseudo-fchmodat http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=seebs/pseudo-fchmodat Peter Seebach (1): pseudo: handle fchmodat better, mask out unwanted write bits .../pseudo/files/pseudo-fchmodat-permissions.patch | 98 ++++++++++++++++++++ meta/recipes-devtools/pseudo/pseudo_1.5.1.bb | 3 +- 2 files changed, 100 insertions(+), 1 deletions(-) create mode 100644 meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] pseudo: handle fchmodat better, mask out unwanted write bits 2014-05-19 21:51 [PATCH 0/1] pseudo permissions: better fchmodat, mask out write bits Peter Seebach @ 2014-05-19 21:51 ` Peter Seebach 2014-05-21 15:14 ` Saul Wold 0 siblings, 1 reply; 6+ messages in thread From: Peter Seebach @ 2014-05-19 21:51 UTC (permalink / raw) To: openembedded-core It turns out that pseudo's decision not to report errors from the host system's fchmodat() can break GNU tar in a very strange way, resulting in directories being mode 0700 instead of whatever they should have been. Additionally, it turns out that if you make directories in your rootfs mode 777, that results in the local copies being mode 777, which could allow a hypothetical attacker with access to the machine to add files to your rootfs image. We should mask out the 022 bits when making actual mode changes in the rootfs. Signed-off-by: Peter Seebach <peter.seebach@windriver.com> --- .../pseudo/files/pseudo-fchmodat-permissions.patch | 98 ++++++++++++++++++++ meta/recipes-devtools/pseudo/pseudo_1.5.1.bb | 3 +- 2 files changed, 100 insertions(+), 1 deletions(-) create mode 100644 meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch diff --git a/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch b/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch new file mode 100644 index 0000000..74a409c --- /dev/null +++ b/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch @@ -0,0 +1,98 @@ +commit 5a6f2896ed44029ced2a33ac64c962737c5171a0 +Author: Peter Seebach <peter.seebach@windriver.com> +Date: Fri May 16 15:53:06 2014 -0500 + + permissions updates: improve fchmodat, mask out write bits + + Backport from pseudo 1.6 of improvements to fchmodat (handle + AT_SYMLINK_NOFOLLOW by rejecting it if the host system does, + to make GNU tar happier), also mask out write bits from filesystem + modes to avoid security problems. + +diff --git a/ChangeLog.txt b/ChangeLog.txt +index 113f675..fab1033 100644 +--- a/ChangeLog.txt ++++ b/ChangeLog.txt +@@ -1,3 +1,14 @@ ++2014-05-16: ++ * (seebs) fchmodat: don't drop flags, report failures, to improve ++ compatibility/consistency. Cache the knowledge that ++ AT_SYMLINK_NOFOLLOW gets ENOTSUP. ++ * (seebs) mask out group/other write bits in real filesystem to ++ reduce risks when assembling a rootfs including world-writeable ++ directories. ++ ++2014-05-15: ++ * (seebs) drop flags when calling fchmodat() to appease GNU tar. ++ + 2013-02-27: + * (seebs) Oh, hey, what if I took out my debug messages? + * (seebs) update docs a bit to reduce bitrot +diff --git a/ports/unix/guts/fchmodat.c b/ports/unix/guts/fchmodat.c +index 59a92ce..69a953c 100644 +--- a/ports/unix/guts/fchmodat.c ++++ b/ports/unix/guts/fchmodat.c +@@ -8,6 +8,7 @@ + */ + PSEUDO_STATBUF buf; + int save_errno = errno; ++ static int picky_fchmodat = 0; + + #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS + if (dirfd != AT_FDCWD) { +@@ -15,6 +16,16 @@ + return -1; + } + if (flags & AT_SYMLINK_NOFOLLOW) { ++ /* Linux, as of this writing, will always reject this. ++ * GNU tar relies on getting the rejection. To cut down ++ * on traffic, we check for the failure, and if we saw ++ * a failure previously, we reject it right away and tell ++ * the caller to retry. ++ */ ++ if (picky_fchmodat) { ++ errno = ENOTSUP; ++ return -1; ++ } + rc = base_lstat(path, &buf); + } else { + rc = base_stat(path, &buf); +@@ -50,13 +61,22 @@ + + /* user bits added so "root" can always access files. */ + #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS +- /* note: if path was a symlink, and AT_NOFOLLOW_SYMLINKS was ++ /* note: if path was a symlink, and AT_SYMLINK_NOFOLLOW was + * specified, we already bailed previously. */ + real_chmod(path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode))); + #else +- real_fchmodat(dirfd, path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode)), flags); ++ rc = real_fchmodat(dirfd, path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode)), flags); ++ /* AT_SYMLINK_NOFOLLOW isn't supported by fchmodat. GNU tar ++ * tries to use it anyway, figuring it can just retry if that ++ * fails. So we want to report that *particular* failure instead ++ * of doing the fallback. ++ */ ++ if (rc == -1 && errno == ENOTSUP && (flags & AT_SYMLINK_NOFOLLOW)) { ++ picky_fchmodat = 1; ++ return -1; ++ } + #endif +- /* we ignore a failure from underlying fchmod, because pseudo ++ /* we otherwise ignore failures from underlying fchmod, because pseudo + * may believe you are permitted to change modes that the filesystem + * doesn't. Note that we also don't need to know whether the + * file might be a (pseudo) block device or some such; pseudo +diff --git a/pseudo_client.h b/pseudo_client.h +index f36a772..ecb13a6 100644 +--- a/pseudo_client.h ++++ b/pseudo_client.h +@@ -85,6 +85,6 @@ extern int pseudo_nosymlinkexp; + * None of this will behave very sensibly if umask has 0700 bits in it; + * this is a known limitation. + */ +-#define PSEUDO_FS_MODE(mode, isdir) ((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) +-#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~0700) | ((user_mode & 0700))) ++#define PSEUDO_FS_MODE(mode, isdir) ((((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH)) & ~(S_IWOTH | S_IWGRP)) ++#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~0722) | ((user_mode & 0722))) + diff --git a/meta/recipes-devtools/pseudo/pseudo_1.5.1.bb b/meta/recipes-devtools/pseudo/pseudo_1.5.1.bb index 215cdb8..47291fd 100644 --- a/meta/recipes-devtools/pseudo/pseudo_1.5.1.bb +++ b/meta/recipes-devtools/pseudo/pseudo_1.5.1.bb @@ -1,12 +1,13 @@ require pseudo.inc -PR = "r4" +PR = "r5" SRC_URI = " \ http://www.yoctoproject.org/downloads/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0001-pseudo_has_unload-add-function.patch \ file://shutdownping.patch \ file://pseudo-1.5.1-install-directory-mode.patch \ + file://pseudo-fchmodat-permissions.patch \ " SRC_URI[md5sum] = "5ec67c7bff5fe68c56de500859c19172" -- 1.7.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] pseudo: handle fchmodat better, mask out unwanted write bits 2014-05-19 21:51 ` [PATCH 1/1] pseudo: handle fchmodat better, mask out unwanted " Peter Seebach @ 2014-05-21 15:14 ` Saul Wold 2014-05-21 18:58 ` Peter Seebach 0 siblings, 1 reply; 6+ messages in thread From: Saul Wold @ 2014-05-21 15:14 UTC (permalink / raw) To: Peter Seebach, openembedded-core On 05/19/2014 02:51 PM, Peter Seebach wrote: > It turns out that pseudo's decision not to report errors from > the host system's fchmodat() can break GNU tar in a very strange > way, resulting in directories being mode 0700 instead of whatever > they should have been. > > Additionally, it turns out that if you make directories in your > rootfs mode 777, that results in the local copies being mode 777, > which could allow a hypothetical attacker with access to the > machine to add files to your rootfs image. We should mask out > the 022 bits when making actual mode changes in the rootfs. > > Signed-off-by: Peter Seebach <peter.seebach@windriver.com> > --- > .../pseudo/files/pseudo-fchmodat-permissions.patch | 98 ++++++++++++++++++++ > meta/recipes-devtools/pseudo/pseudo_1.5.1.bb | 3 +- > 2 files changed, 100 insertions(+), 1 deletions(-) > create mode 100644 meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch > > diff --git a/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch b/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch > new file mode 100644 > index 0000000..74a409c > --- /dev/null > +++ b/meta/recipes-devtools/pseudo/files/pseudo-fchmodat-permissions.patch > @@ -0,0 +1,98 @@ > +commit 5a6f2896ed44029ced2a33ac64c962737c5171a0 > +Author: Peter Seebach <peter.seebach@windriver.com> > +Date: Fri May 16 15:53:06 2014 -0500 > + > + permissions updates: improve fchmodat, mask out write bits > + > + Backport from pseudo 1.6 of improvements to fchmodat (handle > + AT_SYMLINK_NOFOLLOW by rejecting it if the host system does, > + to make GNU tar happier), also mask out write bits from filesystem > + modes to avoid security problems. > + Peter, I know it says Backport above, but can you please add an Upstream-Status: tag to this .patch file. Also, do you have plans to do a 1.6 update for OE-Core soon? Thanks Sau! > +diff --git a/ChangeLog.txt b/ChangeLog.txt > +index 113f675..fab1033 100644 > +--- a/ChangeLog.txt > ++++ b/ChangeLog.txt > +@@ -1,3 +1,14 @@ > ++2014-05-16: > ++ * (seebs) fchmodat: don't drop flags, report failures, to improve > ++ compatibility/consistency. Cache the knowledge that > ++ AT_SYMLINK_NOFOLLOW gets ENOTSUP. > ++ * (seebs) mask out group/other write bits in real filesystem to > ++ reduce risks when assembling a rootfs including world-writeable > ++ directories. > ++ > ++2014-05-15: > ++ * (seebs) drop flags when calling fchmodat() to appease GNU tar. > ++ > + 2013-02-27: > + * (seebs) Oh, hey, what if I took out my debug messages? > + * (seebs) update docs a bit to reduce bitrot > +diff --git a/ports/unix/guts/fchmodat.c b/ports/unix/guts/fchmodat.c > +index 59a92ce..69a953c 100644 > +--- a/ports/unix/guts/fchmodat.c > ++++ b/ports/unix/guts/fchmodat.c > +@@ -8,6 +8,7 @@ > + */ > + PSEUDO_STATBUF buf; > + int save_errno = errno; > ++ static int picky_fchmodat = 0; > + > + #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS > + if (dirfd != AT_FDCWD) { > +@@ -15,6 +16,16 @@ > + return -1; > + } > + if (flags & AT_SYMLINK_NOFOLLOW) { > ++ /* Linux, as of this writing, will always reject this. > ++ * GNU tar relies on getting the rejection. To cut down > ++ * on traffic, we check for the failure, and if we saw > ++ * a failure previously, we reject it right away and tell > ++ * the caller to retry. > ++ */ > ++ if (picky_fchmodat) { > ++ errno = ENOTSUP; > ++ return -1; > ++ } > + rc = base_lstat(path, &buf); > + } else { > + rc = base_stat(path, &buf); > +@@ -50,13 +61,22 @@ > + > + /* user bits added so "root" can always access files. */ > + #ifdef PSEUDO_NO_REAL_AT_FUNCTIONS > +- /* note: if path was a symlink, and AT_NOFOLLOW_SYMLINKS was > ++ /* note: if path was a symlink, and AT_SYMLINK_NOFOLLOW was > + * specified, we already bailed previously. */ > + real_chmod(path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode))); > + #else > +- real_fchmodat(dirfd, path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode)), flags); > ++ rc = real_fchmodat(dirfd, path, PSEUDO_FS_MODE(mode, S_ISDIR(buf.st_mode)), flags); > ++ /* AT_SYMLINK_NOFOLLOW isn't supported by fchmodat. GNU tar > ++ * tries to use it anyway, figuring it can just retry if that > ++ * fails. So we want to report that *particular* failure instead > ++ * of doing the fallback. > ++ */ > ++ if (rc == -1 && errno == ENOTSUP && (flags & AT_SYMLINK_NOFOLLOW)) { > ++ picky_fchmodat = 1; > ++ return -1; > ++ } > + #endif > +- /* we ignore a failure from underlying fchmod, because pseudo > ++ /* we otherwise ignore failures from underlying fchmod, because pseudo > + * may believe you are permitted to change modes that the filesystem > + * doesn't. Note that we also don't need to know whether the > + * file might be a (pseudo) block device or some such; pseudo > +diff --git a/pseudo_client.h b/pseudo_client.h > +index f36a772..ecb13a6 100644 > +--- a/pseudo_client.h > ++++ b/pseudo_client.h > +@@ -85,6 +85,6 @@ extern int pseudo_nosymlinkexp; > + * None of this will behave very sensibly if umask has 0700 bits in it; > + * this is a known limitation. > + */ > +-#define PSEUDO_FS_MODE(mode, isdir) ((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) > +-#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~0700) | ((user_mode & 0700))) > ++#define PSEUDO_FS_MODE(mode, isdir) ((((mode) | S_IRUSR | S_IWUSR | ((isdir) ? S_IXUSR : 0)) & ~(S_IWGRP | S_IWOTH)) & ~(S_IWOTH | S_IWGRP)) > ++#define PSEUDO_DB_MODE(fs_mode, user_mode) (((fs_mode) & ~0722) | ((user_mode & 0722))) > + > diff --git a/meta/recipes-devtools/pseudo/pseudo_1.5.1.bb b/meta/recipes-devtools/pseudo/pseudo_1.5.1.bb > index 215cdb8..47291fd 100644 > --- a/meta/recipes-devtools/pseudo/pseudo_1.5.1.bb > +++ b/meta/recipes-devtools/pseudo/pseudo_1.5.1.bb > @@ -1,12 +1,13 @@ > require pseudo.inc > > -PR = "r4" > +PR = "r5" > > SRC_URI = " \ > http://www.yoctoproject.org/downloads/${BPN}/${BPN}-${PV}.tar.bz2 \ > file://0001-pseudo_has_unload-add-function.patch \ > file://shutdownping.patch \ > file://pseudo-1.5.1-install-directory-mode.patch \ > + file://pseudo-fchmodat-permissions.patch \ > " > > SRC_URI[md5sum] = "5ec67c7bff5fe68c56de500859c19172" > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] pseudo: handle fchmodat better, mask out unwanted write bits 2014-05-21 15:14 ` Saul Wold @ 2014-05-21 18:58 ` Peter Seebach 2014-05-21 19:00 ` Burton, Ross 0 siblings, 1 reply; 6+ messages in thread From: Peter Seebach @ 2014-05-21 18:58 UTC (permalink / raw) To: Saul Wold; +Cc: openembedded-core On Wed, 21 May 2014 08:14:14 -0700 Saul Wold <sgw@linux.intel.com> wrote: > Peter, I know it says Backport above, but can you please add an > Upstream-Status: tag to this .patch file. I might be able to, but I'm sort of swamped right now; I will see if I can shake some minutes loose. Do Upstream-Status tags have a specified format? > Also, do you have plans to do a 1.6 update for OE-Core soon? I would love to, but I don't have an ETA on actually having any available time. I'd like to clean up a few more things, but the 1_6_0 branch seems pretty stable these days, I think. Although I'd like more testing with the xattr support. I think I heard something about something being done in early to mid June after which I might have cycles. -s -- Listen, get this. Nobody with a good compiler needs to be justified. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] pseudo: handle fchmodat better, mask out unwanted write bits 2014-05-21 18:58 ` Peter Seebach @ 2014-05-21 19:00 ` Burton, Ross 2014-05-21 23:08 ` Peter Seebach 0 siblings, 1 reply; 6+ messages in thread From: Burton, Ross @ 2014-05-21 19:00 UTC (permalink / raw) To: Peter Seebach; +Cc: OE-core On 21 May 2014 19:58, Peter Seebach <peter.seebach@windriver.com> wrote: >> Peter, I know it says Backport above, but can you please add an >> Upstream-Status: tag to this .patch file. > > I might be able to, but I'm sort of swamped right now; I will see if I can > shake some minutes loose. Do Upstream-Status tags have a specified format? http://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations Basically, Upstream-Status: Backport [original sha here] Ross ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] pseudo: handle fchmodat better, mask out unwanted write bits 2014-05-21 19:00 ` Burton, Ross @ 2014-05-21 23:08 ` Peter Seebach 0 siblings, 0 replies; 6+ messages in thread From: Peter Seebach @ 2014-05-21 23:08 UTC (permalink / raw) To: Burton, Ross; +Cc: OE-core On Wed, 21 May 2014 20:00:51 +0100 "Burton, Ross" <ross.burton@intel.com> wrote: > Basically, Upstream-Status: Backport [original sha here] Ahh, thanks. I have attempted to send a fixed pull request. (I don't actually have time to do anything yet, but my code's compiling.) -s -- Listen, get this. Nobody with a good compiler needs to be justified. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-05-21 23:08 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-05-19 21:51 [PATCH 0/1] pseudo permissions: better fchmodat, mask out write bits Peter Seebach 2014-05-19 21:51 ` [PATCH 1/1] pseudo: handle fchmodat better, mask out unwanted " Peter Seebach 2014-05-21 15:14 ` Saul Wold 2014-05-21 18:58 ` Peter Seebach 2014-05-21 19:00 ` Burton, Ross 2014-05-21 23:08 ` Peter Seebach
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox