diff options
| author | Kaz Kylheku <kaz@kylheku.com> | 2022-07-29 08:11:15 -0700 |
|---|---|---|
| committer | Kaz Kylheku <kaz@kylheku.com> | 2022-07-29 08:11:15 -0700 |
| commit | 9780ab12e6fa9f2f6bd3bc4f9f476c5df382c445 (patch) | |
| tree | 65200a9482395087e0aff8847a18c5c1765f68e4 /tests | |
| parent | bad5feff45d5336c1d6de9f6aee69a2abab88a9f (diff) | |
| download | txr-9780ab12e6fa9f2f6bd3bc4f9f476c5df382c445.tar.gz txr-9780ab12e6fa9f2f6bd3bc4f9f476c5df382c445.tar.bz2 txr-9780ab12e6fa9f2f6bd3bc4f9f476c5df382c445.zip | |
path-components-safe: repel /proc symlink attacks
In a Linux system, it's possible for an unprivileged
user to create a root symlink pointing to any directory,
simply by changing to that directory and running a setuid
executable like "su". That executable will get a process
whose /proc/<pid> directory is root owned, and contains
a symlink named cwd pointing to the current directory.
Other symlinks under /proc look exploitable in this way.
* stdlib/path-test.tl (safe-abs-path): New function.
Here is where we are going to check for unsafe paths.
We use some pattern matching to recognize various unsafe
symlinks under /proc.
(path-components-safe): Simplify code around recognition
of absolute paths. When an absolute path is read from
a symlink, remove the first empty component. Pass every
absolute path through safe-abs-path to check for known
unsafe paths.
* tests/018/path-safe.tl: New tests.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/018/path-safe.tl | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/tests/018/path-safe.tl b/tests/018/path-safe.tl index 767ee752..2c86ca3e 100644 --- a/tests/018/path-safe.tl +++ b/tests/018/path-safe.tl @@ -86,4 +86,29 @@ (test (path-components-safe "a") nil) +(mtest + (path-components-safe "/proc/1") t + (path-components-safe "/proc/1/cwd") :error + (path-components-safe "/proc/self/cwd") t) + (seteuid 0) + +(mtest + (path-components-safe "/proc/1") t + (path-components-safe "/proc/1/fd") t + (path-components-safe "/proc/sys/../1") t + (path-components-safe "/proc/1/cwd") nil + (path-components-safe "/proc/1/cwd/foo") nil + (path-components-safe "/proc/self/cwd") nil + (path-components-safe "/proc/self/cwd/foo") nil + (path-components-safe "/proc/1/root") nil + (path-components-safe "/proc/1/root/foo") nil + (path-components-safe "/proc/1/fd/0") nil + (path-components-safe "/proc/1/fd/0/bar") nil + (path-components-safe "/proc/1/map_files") nil + (path-components-safe "/proc/1/map_files/bar") nil + (path-components-safe "/proc/sys/../1/cwd") nil + (path-components-safe "/proc/1/task/1") t + (path-components-safe "/proc/1/task/1/fd/0") nil + (path-components-safe "/proc/1/task/1/cwd") nil + (path-components-safe "/proc/1/task/1/root") nil) |