From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id eH9CJalyfWDXPAEAgWs5BA (envelope-from ) for ; Mon, 19 Apr 2021 14:08:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id UDYTIKlyfWDTYQAAB5/wlQ (envelope-from ) for ; Mon, 19 Apr 2021 12:08:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 42F70256FB for ; Mon, 19 Apr 2021 14:08:09 +0200 (CEST) Received: from localhost ([::1]:49534 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lYShE-0000h1-Dg for larch@yhetil.org; Mon, 19 Apr 2021 08:08:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56804) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lYShA-0000gq-EU for guix-patches@gnu.org; Mon, 19 Apr 2021 08:08:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:37056) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lYSh8-0005VW-Ed for guix-patches@gnu.org; Mon, 19 Apr 2021 08:08:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lYSh8-00036k-8O for guix-patches@gnu.org; Mon, 19 Apr 2021 08:08:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47849] [PATCH 1/1] services: Add a service for the Jami daemon. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 19 Apr 2021 12:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47849 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxime Devos Cc: 47849@debbugs.gnu.org Received: via spool by 47849-submit@debbugs.gnu.org id=B47849.161883405511907 (code B ref 47849); Mon, 19 Apr 2021 12:08:02 +0000 Received: (at 47849) by debbugs.gnu.org; 19 Apr 2021 12:07:35 +0000 Received: from localhost ([127.0.0.1]:48600 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lYSgh-00035y-22 for submit@debbugs.gnu.org; Mon, 19 Apr 2021 08:07:35 -0400 Received: from mail-qt1-f175.google.com ([209.85.160.175]:34334) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lYSge-00035k-Fv for 47849@debbugs.gnu.org; Mon, 19 Apr 2021 08:07:34 -0400 Received: by mail-qt1-f175.google.com with SMTP id c6so25824449qtc.1 for <47849@debbugs.gnu.org>; Mon, 19 Apr 2021 05:07:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=4CUJgmRGCvtHnZhdjmuNgryw8vJyB5wL7AMEcxTO9y4=; b=MXDn5CZ3F1bB8KgzvTaW3DhaPusW1v/H5/EYZJlORm7GZdS7S3QrlyHb1LKP8dSjSn gEsCC0uhv8UW/kcbzFUkzosG3G1TTOcZZPmr+P7kAqa/auODOPa073DnWeUMz9xJst/t ABJItGbhixuqtokdc04g6pvTn7LiGdup9xeyuTkjgKNBnzbHfcI7dJqXE6vtcUttMovQ AppbrAXZkNj+H+0Q8cPfzYQ3VTEMGdydGyo55HYdYZFcFPsIWIVgZtT7XT45yMAuxUx3 oLkL0jz3NXTu/lWJke5m2ArLtuF2/Ah2WeSsFeSjVeAAo3iXqib5+rpHApJi3zAnEJyf DcSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=4CUJgmRGCvtHnZhdjmuNgryw8vJyB5wL7AMEcxTO9y4=; b=L2lUuFVMiJHurDd3JxIqC4fQu6n2YeyLutYQneobVksjjktJuu6O3lv/Qfw2CJXLJ0 kRIUOEt1VvGOXZuDnQeAprFNHpdimB5MpEwt+O8e322Kc8JUhGqbrRxbkrjBrYmy29GR yUByUF/ImrwRwcxL4anirmHi2fyk5iYlKDTTiKosRDeFGdlqtIvmQlOPBV7aD7HXsS0H 6j05wFuFItGXjOOaQe6EDw9uXdz89BQC6wxsTd4HNmd83DBftZNXCoLXIxrPQ2NUQv8R k0MfU7OFem15cOZDY7GHjWE0E+XJKXNXB2JAOCpGTnh3QLokfwKq1Bx4HVzeiwXN9A3i HGDg== X-Gm-Message-State: AOAM532VudtMSPnRK9H/9pduVlQSnGV6xEB9D7z2CJIkckxuLMNO+7jH gby5M2ConBZNyCOdw84mpo5G9DszdlhwNg== X-Google-Smtp-Source: ABdhPJwNGmvJ85YrSPQXmlRFTUB+ZiSPx61gOz802VdHfVhr6d4ky/cP24gX6+VMkuqUyPa+JA5m1A== X-Received: by 2002:ac8:5cce:: with SMTP id s14mr11110024qta.305.1618834046795; Mon, 19 Apr 2021 05:07:26 -0700 (PDT) Received: from hurd (dsl-205-151-56-5.b2b2c.ca. [205.151.56.5]) by smtp.gmail.com with ESMTPSA id a4sm8772999qta.19.2021.04.19.05.07.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Apr 2021 05:07:26 -0700 (PDT) From: Maxim Cournoyer References: <20210417200414.18050-1-maxim.cournoyer@gmail.com> <20210417200617.18182-1-maxim.cournoyer@gmail.com> <1e9354c0744afc2d5d11d3eeecaba31f62e59e65.camel@telenet.be> Date: Mon, 19 Apr 2021 08:07:25 -0400 In-Reply-To: <1e9354c0744afc2d5d11d3eeecaba31f62e59e65.camel@telenet.be> (Maxime Devos's message of "Sun, 18 Apr 2021 13:41:06 +0200") Message-ID: <87czuqiiki.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618834089; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=4CUJgmRGCvtHnZhdjmuNgryw8vJyB5wL7AMEcxTO9y4=; b=AA/fRRH+pNVncAYQqrCHeNLquX+NrE3mKVJIjGU/QcdkSL9plZLer6KrYByRqSrgGVuFnR VmGkIZvSkaA24nTWNTjcJVPpF3imsgBIWe0R9VRf651wBW21aM6wOuzHFIsr20ZQ7/exk4 4hr4QFJh3XK1OxD2yV29EuFnFLqd33zKEpu4vJfkWcG782eiR5iRlJCOE5x3qMPtqyLj6M ILMcpX/QrdXTQjcOcK/wPSc5N/eQKG+jXWDRKTq5ywGfcM0zMtu7wZRXr1WUQe/m1su1Ff 1kOI6fhY24YKuMW69dRuHFJNXEGtsa8FmsxovefFeZO6mQSFez81Qmy+4mc3Kg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618834089; a=rsa-sha256; cv=none; b=ND0pce8WdtmnCGiA+csfJV9RT+XL9vM6xiE9NMPZI7l2f4v7FoAdlIoSf8SE29I5NtoYVd aXqKWIfkYVQMRFzexndUbGhx5fHFeqQtPeUu5Qt4/N//qmW6Li/2zBIH+Iw+njA8OeZOut mhX857bcY/9x/D57AVJ97y+HTbE1liGD951K9f+K2J6Tltcv/PtuLYAn/t1HTHkQvAi16w CNTx4QjX/I+DLJuzxd30mvHeIkvlqlVXeyUID/qWRU4+hbWC6LRUMRD0lsBQpEpwtjleVJ KRuuTuIlj/HOm1lS5HZMfM2NRGhOdpfOQQx1ZYLr+SrFBtzKlPY3xpi3YMp3XQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=MXDn5CZ3; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -1.34 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=MXDn5CZ3; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 42F70256FB X-Spam-Score: -1.34 X-Migadu-Scanner: scn0.migadu.com X-TUID: 3sJ6s5rrnSEs Hi Maxime! Maxime Devos writes: > Maxim Cournoyer schreef op za 17-04-2021 om 16:06 [-0400]: > + (delete-file-recursively "/var/lib/jami/.cache/jami") > + (delete-file-recursively "/var/lib/jami/.config/jami") > + (delete-file-recursively "/var/lib/jami/.local/share/jami") > + (delete-file-recursively "/var/lib/jami/accounts")) > > You might want to verify whether /var/lib/jami/{.cache,.config,.local/share,.local} > aren't symbolic links. That way, if the Jami daemon is compromised (due to buffer > overflow --> arbitrary code execution or something), the attacker can't trick the > shepherd service into deleting arbitrary directories. It would only be able to delete directories that are world writable though, right? Seems the opportunity to cause damage is limited, but it's a simple check to add, so I'll do it. What about if the daemon was run in a container (your suggestion in a following email, to which I agree would be a good thing)? It would prevent this kind of attack, right? > This attack is _not_ blocked by fs.protected_symlinks. From the sysctl documentation: > When set to "1" symlinks are permitted to be followed only when outside > a sticky world-writable directory, or [...] > > /var/lib/jami is not world-writable (I'd hope). No, it's only readable/writable by the 'jami' user of the service: $ sudo ls -ald /var/lib/jami drwx------ 1 jami jami 80 Apr 19 00:38 /var/lib/jami > Example scenario: > * the jami daemon has a security bug that allows arbitrary code execution > within the daemon > * the attacker exploits this > * now the attacker can modify everything under /var/lib/jami > * the attacker deletes /var/lib/jami/.config and replaces it with a symlink > to /home/ANY-USER/.config > * eventually, the system reboots > * (delete-file-recursively "/var/lib/jami/.config/jami") is run. > As "/var/lib/jami/.config" points to "/home/ANY-USER/.config", > this means "/home/ANY-USER/.config/jami" is deleted. > * thus, ANY-USER loses their jami configuration The cleanup code is run as the 'jami' user, so I don't think it'd be able to touch anything under /home/ANY-OTHER-USER/, unless they manually loosened permissions on their home directory (shooting themselves in the foot). > Does that makes sense to you? It does! Thanks for explaining. Maxim