From 9cf74aa49835a8309bdc1d9e12afe1925003f141 Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Wed, 28 Feb 2018 17:33:17 -0500 Subject: [PATCH] Eliminate the last bit of pathname usage. A lot of work has been done recently to make apply-default-acl safe from symlink and hardlink attacks. A big part of that work was the recent switch to using file descriptors instead of pathnames; but, pathnames still lingered in a few places due to a shortcoming in libacl. Through the use of a new function, acl_copy_xattr(), I've finally eliminated those last few bits. The apply_default_acl_ex() function now uses path names only as arguments to safe_open(), which hopefully is safe. Afterwards, the file descriptors obtained from safe_open() are used. Thus the hard and symlink attacks should finally be fixed, modulo a tiny race condition between safe_open() and fstat() that has no known solution. These changes rely on the Linux xattr implementation and kill our portability, but I don't think we ever had any to begin with. --- configure.ac | 4 +- src/libadacl.c | 300 ++++++++++++++++++++++++++++++++----------------- 2 files changed, 202 insertions(+), 102 deletions(-) diff --git a/configure.ac b/configure.ac index e64224a..6e45872 100644 --- a/configure.ac +++ b/configure.ac @@ -15,8 +15,8 @@ AC_HEADER_STDC # stdlib.h string.h (implied: errno.h limits.h stdio.h) AC_TYPE_MODE_T # Check for header files not covered by the predefined macros above. -AC_CHECK_HEADERS([ fcntl.h ftw.h getopt.h libgen.h limits.h sys/acl.h ]) -AC_CHECK_HEADERS([ sys/libacl.h sys/types.h unistd.h ]) +AC_CHECK_HEADERS([ fcntl.h ftw.h getopt.h libgen.h limits.h linux/xattr.h ]) +AC_CHECK_HEADERS([ sys/acl.h sys/libacl.h sys/types.h unistd.h ]) # We need openat() with O_NOFOLLOW from POSIX-2008. Without them, we # can't operate securely; I would rather refuse to be built. diff --git a/src/libadacl.c b/src/libadacl.c index 789d12c..35f8de7 100644 --- a/src/libadacl.c +++ b/src/libadacl.c @@ -8,21 +8,25 @@ /* Enables get_current_dir_name() in unistd.h and the O_PATH flag. */ #define _GNU_SOURCE -#include /* EINVAL, ELOOP, ENOTDIR, etc. */ -#include /* openat() */ -#include /* basename(), dirname() */ -#include /* PATH_MAX */ -#include /* the "bool" type */ -#include /* perror(), snprintf() */ -#include /* free() */ -#include /* strdup() */ -#include /* fstat() */ -#include /* get_current_dir_name() */ +#include /* EINVAL, ELOOP, ENOTDIR, etc. */ +#include /* openat() */ +#include /* basename(), dirname() */ +#include /* PATH_MAX */ +#include /* the "bool" type */ +#include /* perror(), snprintf() */ +#include /* free() */ +#include /* strdup() */ +#include /* fstat() */ +#include /* fgetxattr(), fsetxattr() */ +#include /* get_current_dir_name() */ /* ACLs */ #include /* acl_get_perm, not portable */ #include /* all other acl_foo functions */ +/* XATTR_NAME_POSIX_ACL_ACCESS and XATTR_NAME_POSIX_ACL_DEFAULT */ +#include + #include "libadacl.h" @@ -33,6 +37,7 @@ #define OPEN_ERROR -1 #define SNPRINTF_ERROR -1 #define STAT_ERROR -1 +#define XATTR_ERROR -1 /** @@ -249,21 +254,13 @@ int acl_set_entry(acl_t* aclp, acl_entry_t entry) { } if (existing_tag == entry_tag) { - if (entry_tag == ACL_USER_OBJ || - entry_tag == ACL_GROUP_OBJ || - entry_tag == ACL_OTHER) { - /* Only update for these three since all other tags will have - been wiped. These three are guaranteed to exist, so if we - match one of them, we're allowed to return ACL_SUCCESS - below and bypass the rest of the function. */ - if (acl_set_permset(existing_entry, entry_permset) == ACL_ERROR) { - perror("acl_set_entry (acl_set_permset)"); - return ACL_ERROR; - } - - return ACL_SUCCESS; + /* If we update something, we're done and return ACL_SUCCESS */ + if (acl_set_permset(existing_entry, entry_permset) == ACL_ERROR) { + perror("acl_set_entry (acl_set_permset)"); + return ACL_ERROR; } + return ACL_SUCCESS; } result = acl_get_entry(*aclp, ACL_NEXT_ENTRY, &existing_entry); @@ -554,49 +551,6 @@ int any_can_execute(int fd, const struct stat* sp) { -/** - * @brief Set @c acl as the default ACL on @c path. - * - * This overwrites any existing default ACL on @c path. If @c path is - * not a directory, we return ACL_ERROR and @c errno is set. - * - * @param path - * The target directory whose ACL we wish to replace or create. - * - * @param acl - * The ACL to set as default on @c path. - * - * @return - * - @c ACL_SUCCESS - The default ACL was assigned successfully. - * - @c ACL_ERROR - Unexpected library error. - */ -int assign_default_acl(const char* path, acl_t acl) { - if (path == NULL || acl == NULL) { - errno = EINVAL; - perror("assign_default_acl (args)"); - return ACL_ERROR; - } - - /* Our return value; success unless something bad happens. */ - int result = ACL_SUCCESS; - acl_t path_acl = acl_dup(acl); - - if (path_acl == (acl_t)NULL) { - perror("assign_default_acl (acl_dup)"); - return ACL_ERROR; /* Nothing to clean up in this case. */ - } - - if (acl_set_file(path, ACL_TYPE_DEFAULT, path_acl) == ACL_ERROR) { - perror("assign_default_acl (acl_set_file)"); - result = ACL_ERROR; - } - - acl_free(path_acl); - return result; -} - - - /** * @brief Remove all @c ACL_TYPE_ACCESS entries from the given file * descriptor, leaving the UNIX permission bits. @@ -629,6 +583,103 @@ int wipe_acls(int fd) { } +/** + * @brief Copy ACLs between file descriptors as xattrs, verbatim. + * + * There is a small deficiency in libacl, namely that there is no way + * to get or set default ACLs through file descriptors. The @c + * acl_get_file and @c acl_set_file functions can do it, but they use + * paths, and are vulnerable to symlink attacks. + * + * Fortunately, when inheriting an ACL, we don't really need to look + * at what it contains. That means that we can copy the on-disk xattrs + * from the source directory to the destination file/directory without + * passing through libacl, and this can be done with file descriptors + * through @c fgetxattr and @c fsetxattr. That's what this function + * does. + * + * @param src_fd + * The file descriptor from which the ACL will be copied. + * + * @param src_type + * The type of ACL (either @c ACL_TYPE_ACCESS or @c ACL_TYPE_DEFAULT) + * to copy from @c src_fd. + * + * @param dst_fd + * The file descriptor whose ACL will be overwritten with the one + * from @c src_fd. + * + * @param dst_type + * The type of ACL (either @c ACL_TYPE_ACCESS or @c ACL_TYPE_DEFAULT) + * to replace on @c dst_fd. + * + * @return + * - @c ACL_SUCCESS - The ACL was copied successfully. + * - @c ACL_FAILURE - There was no ACL on @c src_fd. + * - @c ACL_ERROR - Unexpected library error. + */ +int acl_copy_xattr(int src_fd, + acl_type_t src_type, + int dst_fd, + acl_type_t dst_type) { + + const char* src_name; + if (src_type == ACL_TYPE_ACCESS) { + src_name = XATTR_NAME_POSIX_ACL_ACCESS; + } + else if (src_type == ACL_TYPE_DEFAULT) { + src_name = XATTR_NAME_POSIX_ACL_DEFAULT; + } + else { + errno = EINVAL; + perror("acl_copy_xattr (src type)"); + return ACL_ERROR; + } + + const char* dst_name; + if (dst_type == ACL_TYPE_ACCESS) { + dst_name = XATTR_NAME_POSIX_ACL_ACCESS; + } + else if (dst_type == ACL_TYPE_DEFAULT) { + dst_name = XATTR_NAME_POSIX_ACL_DEFAULT; + } + else { + errno = EINVAL; + perror("acl_copy_xattr (dst type)"); + return ACL_ERROR; + } + + size_t src_size_guess = fgetxattr(src_fd, src_name, NULL, 0); + if (src_size_guess == XATTR_ERROR) { + if (errno == ENODATA) { + /* A missing ACL isn't really an error. ENOATTR and ENODATA are + synonyms, but using ENODATA here lets us avoid another + "include" directive. */ + return ACL_FAILURE; + } + perror("acl_copy_xattr (fgetxattr size guess)"); + return ACL_ERROR; + } + char* src_acl_p = alloca(src_size_guess); + /* The actual size may be smaller than our guess? I don't know. */ + size_t src_size = fgetxattr(src_fd, src_name, src_acl_p, (int)src_size_guess); + if (src_size == XATTR_ERROR) { + if (errno == ENODATA) { + /* A missing ACL isn't an error. */ + return ACL_FAILURE; + } + perror("acl_copy_xattr (fgetxattr)"); + return ACL_ERROR; + } + + if (fsetxattr(dst_fd, dst_name, src_acl_p, src_size, 0) == XATTR_ERROR) { + perror("acl_copy_xattr (fsetxattr)"); + return ACL_ERROR; + } + + return ACL_SUCCESS; +} + /** * @brief Apply parent default ACL to a path. @@ -667,21 +718,41 @@ int apply_default_acl_ex(const char* path, /* Our return value. */ int result = ACL_SUCCESS; - /* The default ACL on path's parent directory */ - acl_t defacl = (acl_t)NULL; + /* The new ACL for this path */ + acl_t new_acl = (acl_t)NULL; + + /* A copy of new_acl, to be made before we begin mangling new_acl in + order to mask the execute bit. */ + acl_t new_acl_unmasked = (acl_t)NULL; /* The file descriptor corresponding to "path" */ int fd = 0; + /* The file descriptor for the directory containing "path" */ + int parent_fd = 0; + /* Get the parent directory of "path" with dirname(), which happens - * to murder its argument and necessitates a path_copy. - */ + * to murder its argument and necessitates a path_copy. */ char* path_copy = strdup(path); if (path_copy == NULL) { perror("apply_default_acl_ex (strdup)"); return ACL_ERROR; } char* parent = dirname(path_copy); + parent_fd = safe_open(parent, O_DIRECTORY | O_NOFOLLOW); + if (parent_fd == OPEN_ERROR) { + if (errno == ELOOP || errno == ENOTDIR) { + /* We hit a symlink, either in the last path component (ELOOP) + or higher up (ENOTDIR). */ + result = ACL_FAILURE; + goto cleanup; + } + else { + perror("apply_default_acl_ex (open parent fd)"); + result = ACL_ERROR; + goto cleanup; + } + } fd = safe_open(path, O_NOFOLLOW); if (fd == OPEN_ERROR) { @@ -698,7 +769,6 @@ int apply_default_acl_ex(const char* path, } } - /* Refuse to operate on hard links, which can be abused by an * attacker to trick us into changing the ACL on a file we didn't * intend to; namely the "target" of the hard link. There is TOCTOU @@ -748,43 +818,66 @@ int apply_default_acl_ex(const char* path, allow_exec = (bool)ace_result; } - defacl = acl_get_file(parent, ACL_TYPE_DEFAULT); - - if (defacl == (acl_t)NULL) { - perror("apply_default_acl_ex (acl_get_file)"); + if (wipe_acls(fd) == ACL_ERROR) { + perror("apply_default_acl_ex (wipe_acls)"); result = ACL_ERROR; goto cleanup; } - if (wipe_acls(fd) == ACL_ERROR) { - perror("apply_default_acl_ex (wipe_acls)"); + /* If it's a directory, inherit the parent's default. */ + if (S_ISDIR(sp->st_mode)) { + if (acl_copy_xattr(parent_fd, + ACL_TYPE_DEFAULT, + fd, + ACL_TYPE_DEFAULT) == ACL_ERROR) { + perror("apply_default_acl_ex (acl_copy_xattr default)"); + result = ACL_ERROR; + goto cleanup; + } + } + + /* If it's anything, _apply_ the parent's default. */ + if (acl_copy_xattr(parent_fd, + ACL_TYPE_DEFAULT, + fd, + ACL_TYPE_ACCESS) == ACL_ERROR) { + perror("apply_default_acl_ex (acl_copy_xattr access)"); result = ACL_ERROR; goto cleanup; } - /* Do this after wipe_acls(), otherwise we'll overwrite the wiped - ACL with this one. */ - acl_t acl = acl_get_fd(fd); - if (acl == (acl_t)NULL) { + /* There's a good reason why we saved the ACL above, even though + * we're about tto read it back into memory and mess with it on the + * next line. The acl_copy_xattr() function is already a hack to let + * us copy default ACLs without resorting to path names; we simply + * have no way to read the parent's default ACL into memory using + * parent_fd. We can, however, copy the parent's ACL to a file (with + * acl_copy_xattr), and then read the ACL from a file using + * "fd". It's quite the circus, but it works and should be safe from + * sym/hardlink attacks. + */ + + /* Now we potentially need to mask the execute permissions in the + ACL on fd. First obtain the current one... */ + new_acl = acl_get_fd(fd); + if (new_acl == (acl_t)NULL) { perror("apply_default_acl_ex (acl_get_fd)"); result = ACL_ERROR; goto cleanup; } - /* If it's a directory, inherit the parent's default. We sure hope - * that "path" still points to the same thing that "fd" and this - * "sp" describe. If not, we may wind up trying to set a default ACL - * on a file, and this will throw an error. I guess that's what we - * want to do? - */ - if (S_ISDIR(sp->st_mode) && assign_default_acl(path, defacl) == ACL_ERROR) { - perror("apply_default_acl_ex (assign_default_acl)"); + /* ...and now make a copy of it, because otherwise when we loop + below, some shit gets stuck (modifying the structure while + looping over it no worky). */ + new_acl_unmasked = acl_dup(new_acl); + if (new_acl_unmasked == (acl_t)NULL) { + perror("apply_default_acl_ex (acl_dup)"); result = ACL_ERROR; goto cleanup; } acl_entry_t entry; - int ge_result = acl_get_entry(defacl, ACL_FIRST_ENTRY, &entry); + int ge_result = acl_get_entry(new_acl_unmasked, ACL_FIRST_ENTRY, &entry); while (ge_result == ACL_SUCCESS) { acl_tag_t tag = ACL_UNDEFINED_TAG; @@ -804,7 +897,6 @@ int apply_default_acl_ex(const char* path, goto cleanup; } - /* If this is a default mask, fix it up. */ if (tag == ACL_MASK || tag == ACL_USER_OBJ || tag == ACL_GROUP_OBJ || @@ -829,8 +921,8 @@ int apply_default_acl_ex(const char* path, } /* Finally, add the permset to the access ACL. It's actually - * important that we pass in the address of "acl" here, and not - * "acl" itself. Why? The call to acl_create_entry() within + * important that we pass in the address of "new_acl" here, and not + * "new_acl" itself. Why? The call to acl_create_entry() within * acl_set_entry() can allocate new memory for the entry. * Sometimes that can be done in-place, in which case everything * is cool and the new memory gets released when we call @@ -842,15 +934,16 @@ int apply_default_acl_ex(const char* path, * case, &acl) to point to the new location. We want to call * acl_free() on the new location, and since acl_free() gets * called right here, we need acl_create_entry() to update the - * value of "acl". To do that, it needs the address of "acl". + * value of "new_acl". To do that, it needs the address of "new_acl". */ - if (acl_set_entry(&acl, entry) == ACL_ERROR) { + + if (acl_set_entry(&new_acl, entry) == ACL_ERROR) { perror("apply_default_acl_ex (acl_set_entry)"); result = ACL_ERROR; goto cleanup; } - ge_result = acl_get_entry(defacl, ACL_NEXT_ENTRY, &entry); + ge_result = acl_get_entry(new_acl_unmasked, ACL_NEXT_ENTRY, &entry); } /* Catches the first acl_get_entry as well as the ones at the end of @@ -861,7 +954,7 @@ int apply_default_acl_ex(const char* path, goto cleanup; } - if (acl_set_fd(fd, acl) == ACL_ERROR) { + if (acl_set_fd(fd, new_acl) == ACL_ERROR) { perror("apply_default_acl_ex (acl_set_fd)"); result = ACL_ERROR; goto cleanup; @@ -869,11 +962,18 @@ int apply_default_acl_ex(const char* path, cleanup: free(path_copy); - if (defacl != (acl_t)NULL) { - acl_free(defacl); + if (new_acl != (acl_t)NULL) { + acl_free(new_acl); + } + if (new_acl_unmasked != (acl_t)NULL) { + acl_free(new_acl_unmasked); } if (fd >= 0 && close(fd) == CLOSE_ERROR) { - perror("apply_default_acl_ex (close)"); + perror("apply_default_acl_ex (close fd)"); + result = ACL_ERROR; + } + if (parent_fd >= 0 && close(parent_fd) == CLOSE_ERROR) { + perror("apply_default_acl_ex (close parent_fd)"); result = ACL_ERROR; } return result; -- 2.43.2