-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do more when COPY_AS_IS misses required shared libraries? #2279
Comments
For completeness and easier readability A copy of Now I am wondering if there could be ever a use case I think a shared object (library) can not at all work
Or could a shared object be useful in any way A copy of No. It just won't load. So it is a non-functional trap waiting for someone to step into. ;-) And I'd like to object, as least a bit: While ReaR is not that high on (even developer-oriented) usability, it is not that bad: ReaR has so many little functions included that try to auto-detect and/or auto-correct stuff which would be hard to get right the first time. So it just works in many cases, which makes it get usability points. ReaR also includes considerable effort to spot problems and provide useful information in logs, which makes it get additional points. So maybe improving COPY_AS_IS to inspect shared libraries would be a good idea. Currently, it lets ldd look at every shell/python/whatever executable script, so why not make it inspect shared libraries? The only problem would be the naming. It's not just .so or .so (as this would include syslog.socket) or lib.so*. You could have:
Maybe something like *.so plus .so.[0-9] would do... A copy of My reason behinf my question in improving COPY_AS_IS to inspect shared libraries would be a good idea but I would try to go even further and try to
which may result in the end to inspect all regular files A copy of All files would probaby be a bit too much. I've tested a bit and found that this one would get me all shared libraries:
But some caution from http://man7.org/linux/man-pages/man1/ldd.1.html seems advisable:
So if someone configured ReaR to include user-writable directories in COPY_AS_IS, executables lying around there might be executed with root privileges. This could already happen currently, so it would probably be a good idea to limit executable examination to safe paths only. It is not clear from the above statement whether a shared library would be considered an executable, too (in most respects, it is). So if COPY_AS_IS were to be extended, it would probably be safer to limit automatic examination of shared libraries to safe paths only (such as /lib and /usr/lib) as well. I still think that extending COPY_AS_IS would be a good idea and might even save you some support headaches later on. A copy of I know about the security issues with ldd I think if 990_verify_rootfs.sh would have checked all regular files To verify my assumption I ask you to do the following test:
to
(i.e. remove the -executable to find all regular files)
and attach your rear debug log so that I can have a look I tested it on my rather fast computer on plain command line
I think one or two minutes more time during "rear mkrescue" The only case I know where time matters for "rear mkrescue" I also tested "rear mkresue" with a modified 990_verify_rootfs.sh
That modified 990_verify_rootfs.sh needed only about 40 seconds The reason is that kernel modules are not tested, cf.
so only about two-thirds of the regular files The whole "rear mkrescue" took one minute and 15 seconds I noticed that I use FIRMWARE_FILES=( 'no' ) (as I always do)
which saves me about 6 seconds for useless ldd for firmware files. A copy of I was thinking about if it could be sufficient I did a quick test to see in which directories in the recovery system
Accordingly files where running ldd makes sense |
@OliverO2 On first glance I like your item 3. most of all
because it is simple and straightforward By the way: |
@jsmeix I would not expect problems own my own if you'd not limit the directory list. But I'd be unhappy if some admin by accident configured something like |
Have tested it with |
…es_issue2279 Improved check for missing libraries in 990_verify_rootfs.sh so that now also libraries are checked that are no executables plus skipped the ldd test for firmware files, cf. #2279
With #2280 merged I would like to do a mitigation of the ldd security issue |
…_missing_libraries_issue2279 Do not run 'ldd' on untrusted files to mitigate possible ldd security issues because some versions of ldd may directly execute the file (see "man ldd") which happens as user 'root' during "rear mkrescue". The new TRUSTED_FILE_OWNERS user config array contains user names that are trusted owners of files where RequiredSharedObjects calls ldd (cf. COPY_AS_IS) and where a ldd test is run inside the recovery system that tests all binaries for 'not found' libraries, see #2279 Furthermore use '2>>/dev/$DISPENSABLE_OUTPUT_DEV' at more places to avoid that the "rear -D mkrescue" log file size would grow from about 5 MiB to about 17 MiB so that now that log file size even shrinked to about 2 MiB, see #2279
With #2286 merged |
@OliverO2 |
My next step is to use TRUSTED_FILE_OWNERS to check |
This is to continue a discussion about whether to extend the functionality of
COPY_AS_IS
with respect to detecting and/or automatically adding missing shared libraries.This is a starting point of former postings: #2278 (comment)
Answering @jsmeix: #2278 (comment)
I did some tests on a production development system (equipped with SSDs in a RAID 1 configuration). I've used
rear mkopalpba
as this was where the libraries were missing. I'm reluctant to post complete logs publicly from such a system but I nevertheless tried to capture all the relevant information.Console output
These common lines appeared at the top of each run and were stripped from output below for better readability:
Now my experiments with different find configurations in
build/default/990_verify_rootfs.sh
:Using
find $ROOTFS_DIR -type f -executable -printf '/%P\n'
:Using
find $ROOTFS_DIR -type f -printf '/%P\n'
:Using
find $ROOTFS_DIR -type f \( -executable -o -name '*.so' -o -name '*.so.[0-9]*' \) -printf '/%P\n'
:Using
find $ROOTFS_DIR/bin $ROOTFS_DIR/lib* $ROOTFS_DIR/opt $ROOTFS_DIR/sbin $ROOTFS_DIR/usr/bin $ROOTFS_DIR/usr/lib* $ROOTFS_DIR/usr/local $ROOTFS_DIR/usr/sbin -type f \( -executable -o -name '*.so' -o -name '*.so.[0-9]*' \) -print | sed "s;^$ROOTFS_DIR;;"
:Log excerpts
Remarks
multiple starting points, stripping
$ROOTFS_DIR
from paths could not be done via-printf
, so sed was used.)We'd have to judge the likelihood and risks involved. Would we go for finding problems in obscure places or would we prefer higher security?
The text was updated successfully, but these errors were encountered: