-
Notifications
You must be signed in to change notification settings - Fork 766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential symlink/directory traversal issue in user ID extraction #66
Comments
Switch fopenContainerFile from using Stat/Lstat after opening the file to using EvalSymlinks to resolve the file's path as a symlink, checking that the result is inside of the container's root fs, and then opening the link's target instead. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Are you suggesting something like nalind@97ca24a? What did we not catch with the (possibly over-restrictive) lstat-after-opening method? |
1 similar comment
Switch fopenContainerFile from using Stat/Lstat after opening the file to using EvalSymlinks to resolve the file's path as a symlink, checking that the result is inside of the container's root fs, and then opening the link's target instead. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@fweimer The patch with the fix I'm looking at had a conflict in it, so I've rebased it to nalind@2c38752. I'd appreciate any guidance you can offer. |
@nalind, when this code is run, is the file system directory tree dead and inaccessible to unprivileged processes, or is concurrent modification of the tree possible? |
The filesystem tree is mounted on the host, so modification is possible for users with the necessary privileges. |
@nalind, in this case, the code still has a time-of-check-time-of-use race condition because after symbolic link resolution, the file system tree could change and contain symbolic links again. You either have to use |
Switch fopenContainerFile from using Stat/Lstat after opening the file to using openat() to walk the given path, resolving links to keep them from escaping the container's root fs. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Switch fopenContainerFile from using Stat/Lstat after opening the file to using openat() to walk the given path, resolving links to keep them from escaping the container's root fs. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Switch fopenContainerFile from using Stat/Lstat after opening the file to using openat() to walk the given path, resolving links to keep them from escaping the container's root fs. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind have you done anything else for this issue? |
@nalind any update on this? |
Switch fopenContainerFile from using Stat/Lstat after opening the file to using openat() to walk the given path, resolving links to keep them from escaping the container's root fs. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Alright, I'm beginning to think there's no way around having to use chroot(). master...nalind:user2 contains what I'm thinking should prevent the directory traversal problem. |
Switch fopenContainerFile from using Stat/Lstat after opening the file to using openat() to walk the given path, resolving links to keep them from escaping the container's root fs. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Use chroot() instead of trying to read the right file ourselves. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Use chroot() instead of trying to read the right file ourselves. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Use chroot() instead of trying to read the right file ourselves. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Use chroot() instead of trying to read the right file ourselves. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Switch fopenContainerFile from using Stat/Lstat after opening the file to using openat() to walk the given path, resolving links to keep them from escaping the container's root fs. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Use chroot() instead of trying to read the right file ourselves. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Use chroot() instead of trying to read the right file ourselves. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Use chroot() instead of trying to read the right file ourselves. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Switch fopenContainerFile from using Stat/Lstat after opening the file to using openat() to walk the given path, resolving links to keep them from escaping the container's root fs. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
* Use chroot() instead of trying to read the right file ourselves. This should resolve #66. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: umohnani8 <umohnani@redhat.com> Closes: #66 Approved by: mheon
Commit b1bb73e (“ Teach "Run" to dig user IDs out of containers”) added the
fopenContainerFile
function. It does not correctly deal with symbolic links, which could point to something outside of the container root.The text was updated successfully, but these errors were encountered: