[bug-diffutils] bug#35256: bug#35256: Bug report for -W argument (maximum width) - minor and not dangerous

[Assaf Gordon]

Hello,

Slightly off-topic, but potentially helpful:

On 2019-08-27 5:23 p.m., Paul Eggert wrote:
> address@hidden wrote:
>
> > I know diff is used by A LOT of other programs, some of which are
> > web-accessible
>
> [...] if you let a remote attacker 
> specify an arbitrary option to GNU diff there is lots of other trouble 
> you can get into. 
> [....] The general wisdom nowadays is to not expose command-line 
> operands to attackers.
While generally true, sometimes there's no way around it
(or perhaps it is even the goal).

An easy way to restrict resources is to execute a simple
wrapper shell script that uses 'timeout', 'prlimit' and 'setpriv' for
additional restrictions.

For example:

 timeout 10s \
   setpriv --no-new-privs \
     prlimit --cpu=3 --data=50000000 --nproc=1 \
       diff [ARGS]

will limit the "diff" process to running 10 seconds (of wall time),
consume up to 3 seconds of CPU time,
use up to 50MB of memory,
and limit to a single process (so it can't execute child processes).
The "setpriv" ensures it can't gain new privileges.

"prlimit" has more options (e.g. "--fsize" to limit file sizes
so it won't fill the drive, and "--nofiles" to limit number of open files).

These should work on any modern gnu/linux system
("timeout" is from coreutils, "setpriv" and "prlimit" are from util-linux).

None of the above is perfect,
but they add a quick layer of additional restrictions
(and they don't require additional privileges to use).

To take it a step further, you can use containers and tools such as
"bubblewrap" and "firefail" to isolate a process from the network,
from the filesystem, and even from other processes.


Hope this helps,
 -assaf