Compatibility with or without Usr-Merge #113
Conversation
Pull Request Test Coverage Report for Build 2153740547
💛 - Coveralls |
|
@jsegitz: Please have a look from the security PoV. See also https://github.com/yast/yast-yast2/blob/master/doc/yast-invoking-external-commands.md |
shundhammer
force-pushed
the
huha-usr-merge
branch
from
913189f
to
cf45cba
Compare
|
The original intention of using absolute paths was more kind of a hardening thought I guess. For a code reviewer it feels better that way since there are less possibilities of surprises. If it is made sure, as the PR description says, that the PATH is sanitized to only contain trusted paths then this change is unproblematic. That the shell is used for all external commands is a bit unlucky. It mostly could cause problems when the code is invoked in a privilege escalation context where also environment variables are inherited, like in a setuid-root context or su/sudo context with such configuration. In that case it is the responsibility of the people designing or invoking the privilege escalation to keep things safe. |
Sure, that were the original intentions of the change after the security audit some years ago. It wasn't easy for the auditor to to assess in what different ways external commands are being called. That's why we collected them in that document so everybody reading the code (within or outside the YaST team) can have an overview: https://github.com/yast/yast-yast2/blob/master/doc/yast-invoking-external-commands.md
Okay, thank you, that was what we wanted to be confirmed!
Sure. That's why our modern way of invoking commands ( Long term, our intention is of course to modernize the code when we touch an area anyway. But that's a question of available resources; not least at all because when we do a change of such magnitude, we need good test coverage first, and that's also a sore point of much of that code that in part goes back until the early 2000s. Thank you for your assessment! |
shundhammer
force-pushed
the
huha-usr-merge
branch
from
e2e656d
to
4b6935c
Compare
|
✔️ Public Jenkins job #42 successfully finished |
Trello
https://trello.com/c/vySWWKUv/
Bugzilla / GitHub Issue
Problem
External programs were called with an absolute path, even those from known secure directories like
/sbin,/usr/sbin,/bin,/usr/bin. But for the usr-merge, they are being moved from/sbinto/usr/sbinand from/binto/usr/bin, so those absolute paths would need to be adapted for distros that do that.openSUSE Tumbleweed already did that, SLE-15 (GA, SPx) and Leap 15.x did not, so we would need to use different paths to call those external programs, depending on the target distro.
Solution
Don't call them with the full path, use
$PATHinstead; we are using a well-defined secure$PATHthat we set up at the very start of YaST. That$PATHis inherited by all child processes.Why Doesn't this Fail right now in TW?
Right now, TW has some compatibility symlinks, including:
/bin->/usr/bin/sbin->/usr/sbinSo those programs from the open-iscsi package can still be found via those. How long those symlinks will remain available is anyone's guess; while
/bin->/usr/binwill probably not be removed for the forseeable future (too many third-party scripts would break), the same is not so sure about/sbin->/usr/sbin.We want to make sure, not make assumptions.
More Details
Target Branch
This should not to merged to master before we branched off SLE-15 SP4 / Leap 15.4.