-
Notifications
You must be signed in to change notification settings - Fork 236
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
potentially insecure use of /tmp #304
Comments
This directory is a mount point for a tmpfs that only exists in bubblewrap's mount namespace, so I don't think its contents matter (which is why it's OK that all bubblewrap processes with the same uid use the There are some tricky constraints on this directory. I think it might be created at a point in bubblewrap's lifetime where it shouldn't be trusting environment variables, so it can't fall back from $XDG_RUNTIME_DIR to $XDG_CACHE_HOME to $HOME/.cache like GLib does; but as far as I can see there's no good time for bubblewrap to delete the directory, so if it used mkstemp() you'd get one empty directory in /tmp for every bubblewrap run, which would never be deleted, which is eventually also denial of service. Distribution packages can probably address this by creating an empty directory somewhere (in the package or in maintainer scripts) and making bubblewrap use that - because it mounts a tmpfs over the top, all it needs is a mount point somewhere out of the way, that you aren't ever going to want to expose in one of your bubblewrap-based containers (which rules out using /run, /tmp, /mnt, etc. as the mount point, because those are useful directories that you might want to share with the host). |
In fact it looks as though we can use any directory that is guaranteed to exist and be owned by root on any reasonable distribution, like |
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. We already rely on /proc to have those properties, so it seems as good a place as any. This doesn't appear to have any impact on our ability to use /proc as either the source or the destination of a bind-mount. Fixes: containers#304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org>
I would very much appreciate review on this. I'm preparing an upload to Debian unstable, but I don't think I'm comfortable with preparing stable updates with a backport of the solution I proposed until someone with a better overview of how bubblewrap uses |
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. /tmp (the directory itself, not a subdirectory) will do. Fixes: containers#304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org>
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. /tmp (the directory itself, not a subdirectory) will do. Fixes: #304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org> Closes: #305 Approved by: cgwalters
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. /tmp (the directory itself, not a subdirectory) will do. Fixes: #304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org> Closes: #305 Approved by: cgwalters
An attacker could pre-create /tmp/.bubblewrap-$UID and make it a non-directory, non-symlink (in which case mounting our tmpfs would fail, causing denial of service), or make it a symlink under their control (potentially allowing bad things if the protected_symlinks sysctl is not enabled). Instead, temporarily mount the tmpfs on a directory that we are sure exists and is not attacker-controlled. /tmp (the directory itself, not a subdirectory) will do. Fixes: #304 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923557 Signed-off-by: Simon McVittie <smcv@debian.org> Closes: #305 Approved by: cgwalters
@smcv any plans to cut a release including this fix? |
I don't do releases for this project. @cgwalters? |
I think this deserves a CVE. Has anyone already requested one? Any objections against having one allocated? |
For reference this was fixed with https://github.com/projectatomic/bubblewrap/releases/tag/v0.3.3
No objections though I'd also note that I believe this to not be exploitable in most distributions (including RHEL) since |
I agree. I will request anyway one so that each distro can judge for itself. |
CVE-2019-12439 was assigned to this issue. |
@jwilk reported this Debian bug (#923557):
The text was updated successfully, but these errors were encountered: