[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: recursive commands
|
From: |
Marcus Brinkmann |
|
Subject: |
Re: recursive commands |
|
Date: |
Tue, 26 Mar 2002 08:42:27 -0500 |
|
User-agent: |
Mutt/1.3.25i |
On Tue, Mar 26, 2002 at 10:23:08AM +0100, Oystein Viggen wrote:
> Hi
>
> I was wondering: If a user attaches a translator to a node in "/tmp" that
> shows, say, "/etc", "/sbin", "/", or something else, and root runs "rm
> -Rf /tmp", what will happen?
You are not creating a full scenario here, "to show" is not a filesystem
concept in the Hurd, so I can only guess what you mean.
However, you are right that there is such a condition. If you firmlink
a directory, rm will traverse into this directory.
As root:
mkdir test
touch test/foo
As user:
settrans -ac test2 /hurd/firmlink test
As root:
rm -fR test2
And test/foo will be gone. Note that in the tmpreaper function in
libexec/rc, we are carefully removing translators first.
Note that if you open node with O_NOFOLLOW, translators will not be
followed, so some of such attacks are stopped by this. However, rm is
not suspecting that a directory could be anything that it shouldn't
follow.
> Will it be:
> 1. rm sees a directory, recurses, and deletes a lot of important files?
> 2. rm sees a directory and recurses, but because the translator is
> running as, say, oysteivi, the ports provided won't give access to
> actually delete stuff oysteivi couldn't delete himself? or
If you use a firmlink, the translator will redirect the user to the
other node, and the user will open it himself (retry). This is why the
permissions are there.
scenario 2 can also happen, if the translator lookups the nodes himself.
This is important because if you lookup a node in a translator, and you
don't retry blindly, you can be sure everything is ok permission wise.
(eg, O_NOTRANS does the right thing).
> 3. rm sees a translator not owned by any id possessed by the current rm
> process, tries to remove the translator and go on?
rm is not translator aware.
> I'm a bit unclear on the port auth stuff, so I'm not sure if 2. is
> likely, but if 1. happens, there is a lot of work to do on rm,
> tmpwatch/tmpreaper, and mv. (I guess this is they don't allow directory
> hardlinks in Unix...)
Seems so. You definitely have to be much more careful with rm -r in
a space you don't own.
> Can anybody provide any advice on how to best add such translator
> support to user space programs?
We will need to discuss the details here. In general, translators
should be transparent except whena special option is given. For rm -r,
I am not so sure.
> Is putting the important code inside
> "#ifdef _HURD_" or somesuch advisable? (do we even have such a #define
> to lean on?)
We have __GNU__, don't use it. Write an autoconf check. For the
features you need.
Thanks,
Marcus
- recursive commands, Oystein Viggen, 2002/03/26
- Re: recursive commands,
Marcus Brinkmann <=