[Pkg-privacy-commits] [Git][pkg-privacy-team/monkeysphere][master] reduce risky use of chown
Daniel Kahn Gillmor
dkg at debian.org
Sun May 12 20:15:22 BST 2019
Daniel Kahn Gillmor pushed to branch master at Privacy Maintainers / monkeysphere
Commits:
39d3d539 by Daniel Kahn Gillmor at 2019-05-12T19:13:56Z
reduce risky use of chown
In general, chown is risky business. On most systems it can only be
done as root. Even riskier is chowning a file in a directory that is
already owned by a non-privileged user, because (depending on kernel,
system configuration, filesystem boundaries, etc) it's possible that
the non-privileged user could control the file pointed to, and the
superuser accidentally chowns a file they didn't intend.
Attacks here are often racy (TOCTOU) and subtly depend on interactions
with other system parts (e.g. gaining r/w control over a specific file
in /var/lib/dpkg/ or /var/lib/). Better to avoid these risks entirely
where possible.
- - - - -
2 changed files:
- src/share/ma/setup
- src/share/ma/update_users
Changes:
=====================================
src/share/ma/setup
=====================================
@@ -45,8 +45,12 @@ EOF
fi
done
+ # make sure the monkeysphere user owns the sphere gnupghome
+ log debug "fixing sphere gnupg home ownership..."
+ chown "$MONKEYSPHERE_USER:$MONKEYSPHERE_GROUP" -- "${GNUPGHOME_SPHERE}"
+
log debug "writing sphere gpg.conf..."
- cat >"${GNUPGHOME_SPHERE}"/gpg.conf <<EOF
+ run_as_monkeysphere_user sh -c "$(printf 'cat > %q/gpg.conf' "${GNUPGHOME_SPHERE}")" <<EOF
# Monkeysphere trust sphere GnuPG configuration
# This file is maintained by the Monkeysphere software.
# Edits will be overwritten.
@@ -56,11 +60,6 @@ keyid-format 0xlong
${KEYSERVER_OPTIONS}
EOF
- # make sure the monkeysphere user owns everything in the sphere
- # gnupghome
- log debug "fixing sphere gnupg home ownership..."
- chown "$MONKEYSPHERE_USER:$MONKEYSPHERE_GROUP" "${GNUPGHOME_SPHERE}" "${GNUPGHOME_SPHERE}"/gpg.conf
-
# get fingerprint of core key. this should be empty on unconfigured systems.
local CORE_FPR=$(core_fingerprint)
log debug "core fingerprint: $CORE_FPR"
=====================================
src/share/ma/update_users
=====================================
@@ -60,13 +60,11 @@ for uname in $unames ; do
# create temporary authorized_keys file
tmpAuthorizedKeys="${TMPLOC}/authorized_keys"
- touch -- "$tmpAuthorizedKeys"
# set restrictive permissions on the temporary files
- # FIXME: is there a better way to do this?
chmod 0700 -- "$TMPLOC"
- chmod 0600 -- "$tmpAuthorizedKeys"
- chown -R "$MONKEYSPHERE_USER" -- "$TMPLOC"
+ chown --no-dereference "$MONKEYSPHERE_USER" -- "$TMPLOC"
+ run_as_monkeysphere_user sh -c "$(printf 'umask 077 && touch -- %q' "$tmpAuthorizedKeys")"
# process authorized_user_ids file
log debug "checking for authorized_user_ids..."
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/commit/39d3d539b85ad027e27a811c7456a315beceb826
--
View it on GitLab: https://salsa.debian.org/pkg-privacy-team/monkeysphere/commit/39d3d539b85ad027e27a811c7456a315beceb826
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-commits/attachments/20190512/018c132e/attachment-0001.html>
More information about the Pkg-privacy-commits
mailing list