Strict access checks for scripts, secrets files and call option files#577
Open
paulusmack wants to merge 3 commits intomasterfrom
Open
Strict access checks for scripts, secrets files and call option files#577paulusmack wants to merge 3 commits intomasterfrom
paulusmack wants to merge 3 commits intomasterfrom
Conversation
As a security measure, check that scripts that are run as root by pppd using run_program() could not have been changed by a non-root process. First, the path to the script file is converted to an absolute path without symlinks using realpath(). Then each component of the path from the root directory down, as well as the file itself, are checked to verify that they are owned by root and not writable by group or other. This ensures that some other file couldn't be substituted for the file that has been checked, and the file itself can't be changed. (Clearly a process running as root could modify the path or the file itself, but if that is being done maliciously, then the system must already be compromised.) The process of checking the path and the file is in a new function called ppp_check_access(). Most of the code added here was originally written by Jaco Kroon <jaco@uls.co.za>. I moved the code into a separate function, changed the error messages, changed fstatat(..., AT_SYMLINK_NOFOLLOW) to lstat(), and otherwise tweaked it a little. Originally-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
…cesses Check that files containing secrets used by a remote system to authenticate itself to this system could not be changed by a non-root process, that is, that the file and all directories in the real path to it are owned by root and not writable by group or other. The files that are checked in this way are: /etc/ppp/pap-secrets (or alternate location set by pap-secrets option) /etc/ppp/chap-secrets (ditto for chap-secrets option) /etc/ppp/srp-secrets /etc/ppp/eaptls-server /etc/ppp/eaptls-client Files specified using @/file syntax in a secrets file Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
This checks, using ppp_check_access(), that files invoked using the "call" option can't be tampered with by non-root processes. Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a reworking and extension of @jkroonza's work in PR #561 to pull out the checking code into a separate function and use it for secrets files and call option files as well as scripts. I moved the checking code into a new function called ppp_check_access() and I used lstat() instead of fstatat(..., AT_SYMLINK_NOFOLLOW), updated the error messages, and reworked the main loop, but apart from that, the body of ppp_check_access() is basically @jkroonza's code.
I would appreciate review and testing - in particular, are there things being checked here that shouldn't be, or things that aren't and should be?