Hi,I don't have any objections regarding the change of the default tmpfiles provider but I would like to classify the vulnerability:
On 2020-11-25 22:57, Georgy Yakovlev wrote:
In case you don't know, opentmpfiles has an open CVE CVE-2017-18925:root privilege escalation by symlink attack https://github.com/OpenRC/opentmpfiles/issues/4 It has been an issuefor quite a while, reported 3 years ago, and not much changed since.
Don't get scared by 'root privilege escalation': *Any* problem in *any* tmpfiles provider will *always* allow for root privilege escalation because this service is run by root early at boot.
In theory you could create a user for this service but you would need CAP_DAC_OVERRIDE privileges which would again allow for root privilege escalation.
Regarding CVE-2017-18925 itself: First you have to understand that anyone can request a CVE and that it isn't CNA's job to verify your report. That's it, having a CVE doesn't mean that a problem was confirmed. A CVE is just an identifier which should allow anyone who want to talk about the same problem to do that. For example when we file bug 123 in bugs.gentoo.org and Fedora would have the same package and experience the same issue they would file bug 456 in their bug tracker -- the goal of a CVE is just to connect information regarding the same issue -- in this example, the CVE would get references to Gentoo's bug 123 and Fedora's bug 456.
The bug itself is about a race condition. This race condition is real.However, the impact is questionable: tmpfiles service will only process files from
/etc/tmpfiles.d/*.conf /run/tmpfiles.d/*.conf /usr/lib/tmpfiles.d/*.confOnly root is allowed to write to these directories. In other words: To exploit this, a malicious local user (or a remote attacker who already gained user access) would have to trick root into creating specially crafted tmpfiles config allowing for race conditions first (according to the 10 immutable laws of security, if this is already possible, you are already lost).
If root doesn't install any tmpfiles config which will create such a race condition and if package maintainer will take care that their packages won't do the same, you are fine.
Rule of thumb: Just make sure that you only create top level directories. If something already exists, error out. Because whenever you try to work in a directory where any other user is able to write to at the same time, you are always vulnerable to such a race condition (that's why you should have a second level for actual user data and keep first level for ACL handling -- the service user must only be allowed to pass through this directory).
PS: Just to avoid any misunderstandings: OpenTmpfiles should of course try to fix/avoid this problem if possible. Security is a layered process (like an onion) and having multiple safe-guards is always a good thing.
-- Regards, Thomas Deutschmann / Gentoo Security Team fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
OpenPGP_signature
Description: OpenPGP digital signature
