Ensure that qfile-unpacker never traverses symbolic links in files being unpacked#114
Conversation
This defeats the protections provided by opendir_safe(). Instead, use the already-open file descriptor for the file's containing directory. It is unclear whether this can be used to escape a bind mount, as linkat() might fail with -EXDEV in this case. However, it is definitely wrong and needs to be fixed. A search for "untrusted_name" in qrexec-lib/unpack.c finds that these are the only places where an untrusted path that may contain "/" is used as a path in a system call argument. In all other cases, either the path is trusted or only paths that are guaranteed to not contain "/" are used, ensuring that the vulnerability in Qubes Security Bulletin 014 can never be a problem again. Fixes: ce2df91 ("Initial work on safe open")
This is not a security vulnerability, since an attacker cannot cause a symbolic link to replace a file and the symlink restrictions mean that the attacker could only change permissions of paths inside ~/QubesIncoming/VMNAME/TOPLEVEL_DIR anyway. Still, not following symbolic links is the right thing to do. With pre-6.6 Linux kernels, fchmodat(fd, path, AT_SYMLINK_NOFOLLOW) is broken in a chroot without /proc mounted, so it cannot be used. Instead, open the path and call fchmod() on the file descriptor. Fixes: ed68c01 ("Use FD-based versions chmod and utime")
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #114 +/- ##
=======================================
Coverage 77.35% 77.35%
=======================================
Files 5 5
Lines 424 424
=======================================
Hits 328 328
Misses 96 96 ☔ View full report in Codecov by Sentry. |
OpenQA test summaryComplete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024062721-4.3&flavor=pull-requests Test run included the following:
New failures, excluding unstableCompared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024062115-4.3&flavor=update
Failed tests11 failures
Fixed failuresCompared to: https://openqa.qubes-os.org/tests/103633#dependencies 5 fixed
Unstable testsDetails
|
See individual commit messages for details.
Each of these commits has a
Fixes:tag indicating the commit that it fixes. The commits should be backported to any branch containing these commits.Tested by setting
LD_LIBRARY_PATHto the the path containing alibqubes-rpc-filecopy.so.2with these patches, then runningqfile-unpackeras root and ensuring that it can properly unpack a stream generated by a localqfile-agent.