New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compatibility with or without Usr-Merge #113
Conversation
Pull Request Test Coverage Report for Build 2153740547
💛 - Coveralls |
@jsegitz: Please have a look from the security PoV. See also https://github.com/yast/yast-yast2/blob/master/doc/yast-invoking-external-commands.md |
913189f
to
cf45cba
Compare
The original intention of using absolute paths was more kind of a hardening thought I guess. For a code reviewer it feels better that way since there are less possibilities of surprises. If it is made sure, as the PR description says, that the PATH is sanitized to only contain trusted paths then this change is unproblematic. That the shell is used for all external commands is a bit unlucky. It mostly could cause problems when the code is invoked in a privilege escalation context where also environment variables are inherited, like in a setuid-root context or su/sudo context with such configuration. In that case it is the responsibility of the people designing or invoking the privilege escalation to keep things safe. |
Sure, that were the original intentions of the change after the security audit some years ago. It wasn't easy for the auditor to to assess in what different ways external commands are being called. That's why we collected them in that document so everybody reading the code (within or outside the YaST team) can have an overview: https://github.com/yast/yast-yast2/blob/master/doc/yast-invoking-external-commands.md
Okay, thank you, that was what we wanted to be confirmed!
Sure. That's why our modern way of invoking commands ( Long term, our intention is of course to modernize the code when we touch an area anyway. But that's a question of available resources; not least at all because when we do a change of such magnitude, we need good test coverage first, and that's also a sore point of much of that code that in part goes back until the early 2000s. Thank you for your assessment! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a mistake in merge or missing merge, lots of comments were lost...
e2e656d
to
4b6935c
Compare
✔️ Public Jenkins job #42 successfully finished |
Trello
https://trello.com/c/vySWWKUv/
Bugzilla / GitHub Issue
Problem
External programs were called with an absolute path, even those from known secure directories like
/sbin
,/usr/sbin
,/bin
,/usr/bin
. But for the usr-merge, they are being moved from/sbin
to/usr/sbin
and from/bin
to/usr/bin
, so those absolute paths would need to be adapted for distros that do that.openSUSE Tumbleweed already did that, SLE-15 (GA, SPx) and Leap 15.x did not, so we would need to use different paths to call those external programs, depending on the target distro.
Solution
Don't call them with the full path, use
$PATH
instead; we are using a well-defined secure$PATH
that we set up at the very start of YaST. That$PATH
is inherited by all child processes.Why Doesn't this Fail right now in TW?
Right now, TW has some compatibility symlinks, including:
/bin
->/usr/bin
/sbin
->/usr/sbin
So those programs from the open-iscsi package can still be found via those. How long those symlinks will remain available is anyone's guess; while
/bin
->/usr/bin
will probably not be removed for the forseeable future (too many third-party scripts would break), the same is not so sure about/sbin
->/usr/sbin
.We want to make sure, not make assumptions.
More Details
Target Branch
This should not to merged to master before we branched off SLE-15 SP4 / Leap 15.4.