-
Notifications
You must be signed in to change notification settings - Fork 24
/
31-fix-symlink-traversal.patch
61 lines (57 loc) · 2.67 KB
/
31-fix-symlink-traversal.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
diff -upr cfengine-a/libutils/file_lib.c cfengine-b/libutils/file_lib.c
--- cfengine-a/libutils/file_lib.c 2016-11-01 08:47:08.000000000 +0100
+++ cfengine-b/libutils/file_lib.c 2016-11-25 18:21:44.163553332 +0100
@@ -387,6 +387,7 @@ int safe_open(const char *pathname, int
bool trunc = false;
const int orig_flags = flags;
char *next_component = path;
+ bool p_uid;
if (*next_component == '/')
{
@@ -408,6 +409,9 @@ int safe_open(const char *pathname, int
return -1;
}
+ // current process user id
+ p_uid = geteuid();
+
size_t final_size = (size_t) -1;
while (next_component)
{
@@ -558,8 +562,13 @@ int safe_open(const char *pathname, int
close(currentfd);
return -1;
}
- if (stat_before.st_uid != stat_after.st_uid ||
- stat_before.st_gid != stat_after.st_gid)
+ // The probable logic behind the user matching test is that some attacks use symlink creation to exploit a race condition
+ // This attack is not useful if the symlink has been created by root
+ // This attack is not useful if the process's user is the owner of the symlink
+ // As everyone use symlink for server administration, we reenable those cases.
+ if ( stat_before.st_uid != 0 &&
+ stat_before.st_uid != p_uid &&
+ (stat_before.st_uid != stat_after.st_uid || stat_before.st_gid != stat_after.st_gid) )
{
close(currentfd);
// Return ENOLINK to signal that the link cannot be followed
@@ -736,6 +745,7 @@ static int safe_open_true_parent_dir(con
char *parent_dir = dirname(parent_dir_alloc);
char *leaf = basename(leaf_alloc);
struct stat statbuf;
+ uid_t p_uid = geteuid();
if ((dirfd = safe_open(parent_dir, O_RDONLY)) == -1)
{
@@ -747,7 +757,14 @@ static int safe_open_true_parent_dir(con
goto cleanup;
}
- if (traversed_link && (link_user != statbuf.st_uid || link_group != statbuf.st_gid))
+ // The probable logic behind the user matching test is that some attacks use symlink creation to exploit a race condition
+ // This attack is not useful if the symlink has been created by root
+ // This attack is not useful if the process's user is the owner of the symlink
+ // As everyone use symlink for server administration, we reenable those cases.
+ if ( traversed_link &&
+ link_user != 0 &&
+ link_user != p_uid &&
+ (link_user != statbuf.st_uid || link_group != statbuf.st_gid) )
{
errno = ENOLINK;
ret = -1;