The Quest to Secure chown and symlinks (opens in new tab)

(buildkite.com)

59 pointsjuanfatas2y ago27 comments

27 comments

24 comments · 7 top-level

angry_octet2y ago· 6 in thread

There would traditionally been another TOCTOU is the described solution, namely hardlinks. This can often be used to get root to do something to a file it shouldn't.

The trad solution is to have user writeable areas (home, vartmp, tmp) on different volumes. Some tools have options to not traverse symlinks across volumes for this and other reasons. But on modern systems you are protected by the fs.protected_hardlinks setting.

https://wiki.alpinelinux.org/wiki/Sysctl.conf

tadfisher2y ago

Researching this, found [1]:

> POSIX guarantees that hard links can exist. It follows that, on POSIX systems without any non-standard protections, it's unsafe for anyone (but in particular, root) to do anything sensitive in a directory that is writable by another user. Cross-platform programs designed to do so are simply flawed.

I feel like something had to have been lost in translation from Unix to POSIX here. In the original implementation, were users able to hardlink (well, "link") files owned by others? If so, this is a foundational flaw that should probably be fixed across the board with something similar to Linux's non-standard sysctl option.

[1]: http://michael.orlitzky.com/articles/posix_hardlink_heartach...

angry_octet2y ago

Yes, normally you could hard link any file if you can read a directory that references it, and if there was a directory you had write access to on the same volume. The hard link doesn't change the permissions of the file.

Hard links are particularly useful for having multiple copies of a directory tree without consuming space for the files. Eg to create an overlay of a build tree, with your changes on top. Unfortunately CoW file systems still have many issues that make this difficult.

tedunangst2y ago

A link is just a directory entry. If you can write to the directory, you can create entries in it. And back in olden times, mkdir was setuid because it wasn't a syscall.

remram2y ago

Can a user make a hard link to a file they don't own? How does this attack work?

tadfisher2y ago

These links (pun unfortunate) should help:

https://sysctl-explorer.net/fs/protected_hardlinks/

http://michael.orlitzky.com/articles/posix_hardlink_heartach...

remram2y ago

Answer: fs.protected_hardlinks=1 is what prevents the creation of hardlinks to files you don't own. It's on by default on all machines I checked though.

https://github.com/torvalds/linux/commit/800179c9b8a1e796e44...

Without this, a whole lot of attacks are possible with hardlinks.

nunez2y ago· 3 in thread

test -L checks if a file is a symlink; no need for realpath comparisons (which is slower)

somat2y ago

Yeah but what do you do if your are not using shell?

Hint: it's stat(2) (or equivalent in your language library)

Additional hint: if using pythons os.stat set follow_symlinks to false. It recently took me an embarrassing long time to figure out why my script was failing to find symlinks.

nunez2y ago

but they were using a shell script in this blog though (and, yes, stat(2) is the way to go there)

1 more reply

tux2bsd2y ago

> checks if a file is a symlink

to expand on that:

"In computing, a symbolic link (also symlink or soft link) is a file whose purpose is to point to a file or directory (called the "target") by specifying a path thereto."

pdimitar2y ago· 2 in thread

This just cements my conviction that file systems not having transactional operations is a huge omission nowadays. It really is time to start having file systems that are not just huge mutable spaces, and be more like proper ACID databases.

I hope somebody is working on it because as things are going in the last years, I'd be retired before I have the time for it.

tinus_hn2y ago

How does that solve the problem of links pointing places where you don’t expect them to, or any of the other issues in this article?

The problem here is trying to cross a security boundary where your only tool is shell scripting. That’s just basically impossible to do securely.

Use a real programming language, follow the rules required to make it secure and do all the checks you need to.

pdimitar2y ago

It would solve it by disallowing changing of the underlying path from a symlink to a file (and vice versa) while a transaction to do a `chown` is still underway.

Though that would require much more than just ACID semantics but also proper user / jail isolation.

Hello712y ago· 2 in thread

  (cd "$path" && [ "$(pwd -P)" = "$path" ] && chown -R buildkite-agent:buildkite-agent .)

the real question though is why they're trusting just Docker alone to isolate customers; if they want the jobs to effectively be a single user to the system, they can even use unprivileged user namespaces?

lox2y ago

This stack is run by a single customer on trusted code isolated in their own AWS env. (I wrote it originally 6-7 years back)

There are radically better isolation strategies now. Firecracker and/or Sysbox hardened docker containers is one I’ve recently implemented.

Y_Y2y ago

When all you have is a hammer...

kazinator2y ago· 2 in thread

I have a small project in this approximate area:

https://www.kylheku.com/cgit/safepath/about/

safepath is a function which tries to analyze whether a path is safe to use. Roughly that means that it doesn't resolve in some way that can be controlled by another (non-root) user.

A something similar to this is in TXR Lisp under the name path-components-safe:

https://www.kylheku.com/cgit/txr/tree/stdlib/path-test.tl?hl...

Quekid52y ago

This seems to still be vulnerable to TOCTOU?

Tho, to be fair, it's probably an improvement by narrowing how simple it is to exploit relative to doing nothing.

kazinator2y ago

I'm not going to sit there claiming it's not vulnerable to anything.

But, assuming it does what it's supposed to, the inherent semantics of the check is supposed to eliminate TOCtoTOU.

The reason is that if we validate, from left to right, that no part of the path is under the control of adversaries, then nothing can happen to that path between the time of check and time of use.

(At least nothing that isn't self-inflicted, which would be outside of the scope. If root checks a path for safety, but root itself has a parallel task going on which changes the permissions or symbolic links in ways that affect the security status of that path, we can regard that as root's self-inflicted problem. That's nearly the same as the ever-present threat that a careless sysadmin might "chmod 777" an sensitive file.)

In fact, development of this function was motivated by exploring the question: can we do security checks on a path in such a way that if the answer is affirmative, it continues to tell the truth moments later, when the same path is accessed?

1 more reply

jrmg2y ago· 1 in thread

Why do the files have bad permissions to start with?

lox2y ago

Docker is running as root, so the files written in mounted volumes get mapped to uid 0 on the host. When the agent then goes to re-use the checked out code, it can’t run ‘git clean’.

Username space remapping wasn’t adequate, for reasons I’m a bit blurry on. I think recent kernels have some better options on remapping permissions across file systems.

blibble2y ago· 1 in thread

why is it running as root anyway?

should probably setuid to the correct user and do the thing there instead

Avamander2y ago

Well in some cases avoiding root might help. But you can have flaws like this root or not, for example Apache httpd still has a known TOCTOU vulnerability with symlinks with a broken check (SymlinksIfOwnerMatch does not actually work).

j / k navigate · click thread line to collapse

27 comments

24 comments · 7 top-level

angry_octet2y ago· 6 in thread

There would traditionally been another TOCTOU is the described solution, namely hardlinks. This can often be used to get root to do something to a file it shouldn't.

https://wiki.alpinelinux.org/wiki/Sysctl.conf

tadfisher2y ago

Researching this, found [1]:

[1]: http://michael.orlitzky.com/articles/posix_hardlink_heartach...

angry_octet2y ago

tedunangst2y ago

A link is just a directory entry. If you can write to the directory, you can create entries in it. And back in olden times, mkdir was setuid because it wasn't a syscall.

remram2y ago

Can a user make a hard link to a file they don't own? How does this attack work?

tadfisher2y ago

These links (pun unfortunate) should help:

https://sysctl-explorer.net/fs/protected_hardlinks/

http://michael.orlitzky.com/articles/posix_hardlink_heartach...

remram2y ago

Answer: fs.protected_hardlinks=1 is what prevents the creation of hardlinks to files you don't own. It's on by default on all machines I checked though.

https://github.com/torvalds/linux/commit/800179c9b8a1e796e44...

Without this, a whole lot of attacks are possible with hardlinks.

nunez2y ago· 3 in thread

test -L checks if a file is a symlink; no need for realpath comparisons (which is slower)

somat2y ago

Yeah but what do you do if your are not using shell?

Hint: it's stat(2) (or equivalent in your language library)

Additional hint: if using pythons os.stat set follow_symlinks to false. It recently took me an embarrassing long time to figure out why my script was failing to find symlinks.

nunez2y ago

but they were using a shell script in this blog though (and, yes, stat(2) is the way to go there)

1 more reply

tux2bsd2y ago

> checks if a file is a symlink

to expand on that:

"In computing, a symbolic link (also symlink or soft link) is a file whose purpose is to point to a file or directory (called the "target") by specifying a path thereto."

pdimitar2y ago· 2 in thread

I hope somebody is working on it because as things are going in the last years, I'd be retired before I have the time for it.

tinus_hn2y ago

How does that solve the problem of links pointing places where you don’t expect them to, or any of the other issues in this article?

The problem here is trying to cross a security boundary where your only tool is shell scripting. That’s just basically impossible to do securely.

Use a real programming language, follow the rules required to make it secure and do all the checks you need to.

pdimitar2y ago

It would solve it by disallowing changing of the underlying path from a symlink to a file (and vice versa) while a transaction to do a `chown` is still underway.

Though that would require much more than just ACID semantics but also proper user / jail isolation.

Hello712y ago· 2 in thread

  (cd "$path" && [ "$(pwd -P)" = "$path" ] && chown -R buildkite-agent:buildkite-agent .)

lox2y ago

This stack is run by a single customer on trusted code isolated in their own AWS env. (I wrote it originally 6-7 years back)

There are radically better isolation strategies now. Firecracker and/or Sysbox hardened docker containers is one I’ve recently implemented.

Y_Y2y ago

When all you have is a hammer...

kazinator2y ago· 2 in thread

I have a small project in this approximate area:

https://www.kylheku.com/cgit/safepath/about/

safepath is a function which tries to analyze whether a path is safe to use. Roughly that means that it doesn't resolve in some way that can be controlled by another (non-root) user.

A something similar to this is in TXR Lisp under the name path-components-safe:

https://www.kylheku.com/cgit/txr/tree/stdlib/path-test.tl?hl...

Quekid52y ago

This seems to still be vulnerable to TOCTOU?

Tho, to be fair, it's probably an improvement by narrowing how simple it is to exploit relative to doing nothing.

kazinator2y ago

I'm not going to sit there claiming it's not vulnerable to anything.

But, assuming it does what it's supposed to, the inherent semantics of the check is supposed to eliminate TOCtoTOU.

The reason is that if we validate, from left to right, that no part of the path is under the control of adversaries, then nothing can happen to that path between the time of check and time of use.

1 more reply

jrmg2y ago· 1 in thread

Why do the files have bad permissions to start with?

lox2y ago

Docker is running as root, so the files written in mounted volumes get mapped to uid 0 on the host. When the agent then goes to re-use the checked out code, it can’t run ‘git clean’.

Username space remapping wasn’t adequate, for reasons I’m a bit blurry on. I think recent kernels have some better options on remapping permissions across file systems.

blibble2y ago· 1 in thread

why is it running as root anyway?

should probably setuid to the correct user and do the thing there instead

Avamander2y ago

j / k navigate · click thread line to collapse