Comment 19 for bug 357024

Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote : Re: [Bug 357024] Re: security hole in /etc/cron.daily/apport

2009-04-15 19:20:50 -0000, Martin Pitt:
> So this is indeed quite hard to reproduce. A simple ln -s /etc
> /var/crash/etc will not work, since find will just report the
> /var/crash/etc symlink and not descend. So it indeed needs the much more
> complex fuse/ultra-large dir trick, but the explanation makes sense to
> me.

That's a very common trick though, described in a lot of
resources about security.

It's a race condition of the type:
if (condition) action
where the condition can be changed by someone else in between
the time the condition is evaluated and the action with the
addition that the attacker may introduce as large a delay as he
likes (creating a huge dir is one example, there may exist
more). The changing of a dir to a symlink is a very well know
trick as well.

I agree you can forget about the fuse one, if an "evil" user is
allowed to mount fuse filesystem with allow_root, you're in big
trouble anyway. It just happened I has fuse in mind when I wrote
the report.

> I discussed this with Jamie, and did some local testing. Adding
> -maxdepth 1 -type f works, and I consider that a safe security update.
> Rewriting the statement entirely using the -prune way you described will
> be done in trunk.

Yes, that seems OK to me as well AFAICT.

Best regards,
Stephane