Fixes for CVE-2017-18925

[KenjiBrown]

Signed-off-by: Sandio Araico Sanchez sandino@sandino.net
Bug #540006
hardened mode for opentmpfiles
Ignore some recursive options
Refuse to remove root-owned dirs and files
Refuse to chmod/chdir/chown user-owned dirs and files
Check non-existence before creating a directory
Ensure directory has been newly created before chown/chmod/chgrp
exit on error

[thesamesam]

This makes us non-compliant with the spec: https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html.

[KenjiBrown]

If some administrator has changed the context, it is for a reason. A regular user doesn't have enough permission to change context.

Allowing the robot to silently restore the context might have unwanted consequences better dealt manually.

An example:

# the administrator gives Wordpress write permission
chcon -R -t httpd_rw_content_t /var/www/wordpress/wp_upload

Some months later, the system reboots and the robot restores context on /var/www recursively, silently removing Wordpress write permissions.

[KenjiBrown]

I see no major danger if we skip both _z() and _Z() chunks, porovided the package maintainer has previously defined the correct policies.
Do you want me to roll them back?

[vapier]

kind of seems like we should just shutdown the project. systemd tmpfiles.d can be built independently, so it's questionable whether there's any value in trying to maintain an independent implementation. at least, certainly not one using shell code.

[vapier]

afaict, FOUND is only used here, so there's no need to create it at all. this line also lacks quoting.

if [ -z "$(find "${path}" -maxdepth 0 -uid 0 -gid 0)" ] ; then

[KenjiBrown]

Changed in commit 4f4576a

[vapier]

need to quote "$1"

comes up below too

[KenjiBrown]

Changed in commit 4f4576a

[vapier]

use braces with ${status}

[KenjiBrown]

Changed in commit 4f4576a

[vapier]

bad indentation in this code

[KenjiBrown]

Changed in commit 4f4576a

[vapier]

doesn't this defeat the purpose of using tmpfiles.d ? the entries are supposed to get arbitrary filesystem state back into a known good state. by bailing out here (and elsewhere), the project is only good to create files when they don't yet exist.

[KenjiBrown]

The coward refusal happens only when the owner is root.
Removing root-owned directories implies a potential security risk.
user-owned directories are allowed to be removed.

[vapier]

can't tmpfiles.d rules create dirs not owned by root by design ? so this basically wedges the state after a single run ?

[KenjiBrown]

Directory creation is refused only when a directory with the same name, owned by root already exists.
Removing directories owned by root creates potential a security risk.
Changing ownership of directories owned by root creates potential a security risk.
Only the system administrator should be able to knowingly remove directories owned by root or change ownership.

[lu-zero]

kind of seems like we should just shutdown the project. systemd tmpfiles.d can be built independently, so it's questionable whether there's any value in trying to maintain an independent implementation. at least, certainly not one using shell code.

You started your alternative impl in C++, I guess that can be a valid path forward, the rust impl of the parser is already done and has at least few tests, I guess it could be freshen and documented for those that like to try that way as well.

[vapier]

i started a rewrite because the systemd one wasn't buildable in isolation. that has changed, so i don't feel the need to pursue my own version anymore.