From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Maxime Devos Newsgroups: gmane.lisp.guile.devel Subject: Re: [PATCH] Bindings to *at functions & allowing more functions to operate on ports Date: Sat, 27 Mar 2021 22:19:20 +0100 Message-ID: References: <175c3a6572e832d84927937b309a3095cadf5702.camel@telenet.be> Mime-Version: 1.0 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-XPEs6UWtnciGje8ezH04" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="15757"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.34.2 Cc: Andy Wingo , Ludovic =?ISO-8859-1?Q?Court=E8s?= , guile-devel@gnu.org, Leo Famulari Original-X-From: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org Sat Mar 27 22:19:56 2021 Return-path: Envelope-to: guile-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lQGLc-00040o-Ru for guile-devel@m.gmane-mx.org; Sat, 27 Mar 2021 22:19:56 +0100 Original-Received: from localhost ([::1]:45610 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQGLb-0006ek-SR for guile-devel@m.gmane-mx.org; Sat, 27 Mar 2021 17:19:55 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:44152) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQGLN-0006eX-6B for guile-devel@gnu.org; Sat, 27 Mar 2021 17:19:41 -0400 Original-Received: from andre.telenet-ops.be ([2a02:1800:120:4::f00:15]:42174) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lQGLK-00060F-Pp for guile-devel@gnu.org; Sat, 27 Mar 2021 17:19:40 -0400 Original-Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by andre.telenet-ops.be with bizsmtp id lZKb240010mfAB401ZKbJ3; Sat, 27 Mar 2021 22:19:35 +0100 In-Reply-To: <175c3a6572e832d84927937b309a3095cadf5702.camel@telenet.be> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1616879975; bh=VH0X89DFujIaCKeM/FvjnDXAn+g670dPi/m0EOoqQj4=; h=Subject:From:Cc:Date:In-Reply-To:References; b=sh1XU/nifwnjxb7CQq0B7lY6fjWTJKzVfWp/1K97IKczuSshGcsoZk8uKMxDGhjJB ttTXmVhICjm5XJnqqv3VQNZA0rnMKxVPsvriLbug1v8Re0Be1Yau8Hdx/x6Cw32E+S /VJwbqH3/gbMceGMcawz7E1K3nWOG/KbqBQbDKzciLNCrwte/mAHRPBxiyohJZ353u YSqEgt0+7cnX7VielNUcgr0f3gLEOfZR1JjayfE1IlNgYyfiZgIbQ7jUVFMwT3fC0a spcEa4doDA/pbGBpozMW1E8nAcX0k2HOOngy77t0pQ403KG6vTmM3KM1iA0vQ1HZMy REsH5dTily8NQ== Received-SPF: pass client-ip=2a02:1800:120:4::f00:15; envelope-from=maximedevos@telenet.be; helo=andre.telenet-ops.be X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org Original-Sender: "guile-devel" Xref: news.gmane.io gmane.lisp.guile.devel:20714 Archived-At: --=-XPEs6UWtnciGje8ezH04 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, [CC'ing some Guile and Guix maintainers because this is important for the security of Guix System.] I want to explain why these patches (and the O_FLAGS (*) patch) should be included in Guile. Functions like "openat" are important to avoid TOCTTOU (time-of-check to time-of-use) vulnerabilities involving symbolic links. For example, suppose we have a web server implemented in Guile. Suppose the address is https://web.gnu. It allows a local user U (and some others) to define their own web pages to host at http://web.gnu/~U, by writing files to /home/U/www. As there are multiple users, the server has to run as root. Now suppose U is the malicious kind of user. Then $U could create a symlink at /home/U/www/maliciousity pointing to /home/other-user/.gnupg/private-keys-v1.d/FINGERPRINT.key. Now U could download other-user's gpg key, for example with "wget http://web.gnu/~U/maliciousity". Oops! How can this vulnerability be avoided? * Use O_NOFOLLOW to *not* follow the symbolic link. Patch for adding O_NOFOLLOW to guile: . And why do we need openat? Well, suppose the web server is not read-only, and supports (say) WebDAV or FTP for modifying files remotely (I mean U can remotely modify http://web.gnu/~U). Then U could create a symlink at /home/U/www/maliciousity pointing to /home/other-user. Now U can peek into other-user's home directory and overwrite files. Oops! How can the web server avoid this? * First open "/home/U" as usual, resulting in a port $1. Then use (openat $1 "maliciousity" O_NOFOLLOW), resulting in a port $2. Use (stat $2) to see if $2 is a directory or a regular file **and** to see if $2 is owned by $2! If necessary, recurse, etc. Display a directory listing or display the file, etc. How does this matter for Guix? Guix has a TOCTTOU race: . It has been partially fixed: . However, a complete fix requires bindings to "openat". I found another similar issue in Guix lately (not yet disclosed publicly). While I think the conditions for this other potential security issue to be exploitable don't ever happen in practice, I would still like to fix this issue, and to be able to prevent similar issues from appearing in the future. Greetings, Maxime. --=-XPEs6UWtnciGje8ezH04 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYF+hWBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7utNAP9XbB2Ym32Q3NAUpVeLGGmtBzgV TeWWd+HWUbt6nSfTvAD+Ogjsb3k9+1I+cc+5bB3qO6+3Zwrkh5H9QE7ZeA0M8w8= =GMRp -----END PGP SIGNATURE----- --=-XPEs6UWtnciGje8ezH04--