On Wed, Aug 16, 2006 at 10:33:20PM -0500, Corey Wright wrote:
> On Sun, 13 Aug 2006 03:41:35 -0500
> Corey Wright <undefined@pobox.com> wrote:
>
> > this email is to serve as a notification of a problem and a survey of
> > possible workarounds/solutions.
> >
> > the problem: when using dpkg to upgrade a package that contains setuid/gid
> > files which have been unified/hashified, dpkg wants to first chmod 600 the
> > files before unlinking them (in case somebody has hardlinked to a security
> > susceptible file which will remain even after the upgrade because of the
> > hardlink). of course, as the files are immutable, the chmod fails, but
> > this behavior is never seen for all other files because dpkg unlinks them
> > without chmoding them first (and unlinking is allowed).
>
> my final solution is attached, which is a patch to dpkg disabling the
> behavior of chmodding a setuid/gid file 600 before removing it. this still
> doesn't address the security problem of a non-root user hardlinking a
> locally-exploitable setuid file before upgrade and it still being available
> to exploit after upgrade. the solution to that is limiting users to
> writing on a partition (/home) separate from setuid files (/ & /usr) (which
> is already a "best practice", but hard to justify on small-sized vserver
> guests).
>
> so anyways, this is the patch that i applied to dpkg that i installed only
> on my hashified/unified vserver guests, not the vserver host.
sidenote, we adjusted the access checks recently to
return proper state for scuh files, and in the near
future cow link breaking (on chmod/chown) will be
added to the devel branch (which should ease this)
nevertheless it can't hurt to avoid such issues for
compatibility reasons ....
best,
Herbert
> corey
> --
> undefined@pobox.com
> --- dpkg-1.10.28/debian/changelog.orig 2006-08-13 03:56:24.000000000 -0500
> +++ dpkg-1.10.28/debian/changelog 2006-08-13 03:58:01.000000000 -0500
> @@ -1,3 +1,9 @@
> +dpkg (1.10.28-0vserver1) stable; urgency=low
> +
> + * do not chmod before unlinking a sticky or set-id file
> +
> + -- Corey Wright <undefined@pobox.com> Sun, 13 Aug 2006 03:51:49 -0500
> +
> dpkg (1.10.28) unstable; urgency=low
>
> The "Awh, yeah? Ripper!" Release.
> --- dpkg-1.10.28/main/help.c.orig 2004-11-10 21:16:33.000000000 -0600
> +++ dpkg-1.10.28/main/help.c 2006-08-13 03:47:36.000000000 -0500
> @@ -440,10 +440,10 @@ int chmodsafe_unlink(const char *pathnam
> struct stat stab;
>
> if (lstat(pathname,&stab)) return -1;
> - if (S_ISREG(stab.st_mode) ? (stab.st_mode & 07000) :
> - !(S_ISLNK(stab.st_mode) || S_ISDIR(stab.st_mode) ||
> + if (!(S_ISREG(stab.st_mode) ||
> + S_ISLNK(stab.st_mode) || S_ISDIR(stab.st_mode) ||
> S_ISFIFO(stab.st_mode) || S_ISSOCK(stab.st_mode))) {
> - /* We chmod it if it is 1. a sticky or set-id file, or 2. an unrecognised
> + /* We chmod it if it is an unrecognised
> * object (ie, not a file, link, directory, fifo or socket
> */
> if (chmod(pathname,0600)) return -1;
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Thu Aug 17 22:05:34 2006