Bug#936060: rocksndiamonds lintian override for maintainer-script-should-not-use-recursive-chown-or-chmod reasoning is incorrect

[Stephen Kitt]

Hi Daniel,

Thanks for taking an interest in this, I’ve often wondered if I’d got my
analysis right...

On Thu, 29 Aug 2019 10:45:08 -0400, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> the lintian override says:
> 
> # We recursively chown files to root:root after neutering their
> # permissions, so the attacks mentioned by Lintian aren’t applicable
> rocksndiamonds: maintainer-script-should-not-use-recursive-chown-or-chmod
> postinst:340 rocksndiamonds:
> maintainer-script-should-not-use-recursive-chown-or-chmod postinst:341
> rocksndiamonds: maintainer-script-should-not-use-recursive-chown-or-chmod
> postinst:342
> 
> But this reasoning doesn't follow.

I agree, and it seems I forgot the first rule of security, documenting the
scenarios.

> The script is:
> 
>     cmd_execute "find $tempdir -type d -exec chmod 0755 '{}' '+'";
>     cmd_execute "find $tempdir -type f -exec chmod 0644 '{}' '+'";
>     cmd_execute "chown -R root:root $tempdir";
> 
> even if we set aside race condition concerns (can some unprivileged user
> get away with something between the find and the chown?), the
> "neutering" of permissions makes all the files in that directory
> world-readable.
> 
> so if an attacker can manage to link /etc/shadow or
> /etc/ssh/ssh_host_*_key or whatever into that directory before the chown
> happens, they can reveal system secrets that should only be visible to
> the superuser.

But all this happens inside $tempdir, which is root:root 700. If anyone can
race there, or read files, we’ve lost already, haven’t we? And if they can’t,
then we’re safe, at least until we copy the files elsewhere — and I think at
this point we’re sure the files can only match the contents of the archives we
unpack.

The scenario I was thinking of when I wrote my comment was the issue of
suid/sgid binaries, since those could be stored in the archives we extract.
But even then, I don’t think there would be a way of exploiting them even if
the chown happened before the chmods, and in any case the archives are
extracted without preserving permissions...

It’s quite likely I’ve missed something, so if you can identify a scenario in
which the extraction is unsafe, I’d love to know about it.

Regards,

Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20190829/f4e1d4cf/attachment.sig>