Guard against /proc/<pid>/cwd attack.

This exploit against safepath_check was reported by
Travis Ormandy in the comp.unix.programmer Usenet
newsgroup on July 29th (UTC), message ID
jkgrb9FhdslU1 <at> mid.individual.net.

On Linux, if you change to some directory and
run the "su" program, the operating system will
spin up a process whose /proc/<pid> directory is
root-owned, and not writable (thus safe-looking)
and contains a cwd symlink pointing to that
directory.

Regular users cannot follow this symlink, but
root can, which makes it an attack vector.

There eare more unsafe links under /proc;
this will be addressed in another commit.

* safepath.c (simplify_path): New static function,
for removing "..", "." and empty components
from a path without filesystem access. When
we are checking absolute paths for unsafe patterns
we must use simplified paths, otherwise these
components can be used to evade the matches we
are looking for. However, we cannot then do all
of our safety checks on a simplified path because
a simplified path can be completely safe, whereas
the original isn't: e.g. foo/unsafe/../bar simplifies
to foo/bar.
(abs_path_check): New static function.
Here we will place all knowledge about special
paths that are possible attack vectors, starting
with this ill-considered /proc/<pid>/cwd.
(safepath_check): If the input path is absolute,
check it with abs_path_check. Also, if a symlink
target is an absolute path, check it also.

0 files changed, 0 insertions, 0 deletions