From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id 287595A004F for ; Thu, 20 Jun 2024 14:13:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1718885612; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sAroDlgtsPgu9VcSCerq+jjWBN5fdolbEpkCZMBdEuc=; b=PxxgfUB41uhLdCs3xNKeaKhtQgcOa6VePrh/SRmSmLYQoI4crqHvynEt6R4lFwBWJksVUy bMywrOIk3fUx2g58Dt8UoJ1OO6qlY7rZWSQT3W8viQPO41gRveBAFJfpoOjAj0qWClhs0g pALtI+lMMaXpjwywVHuKeJppYjm3lxk= Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-683-8LRo1MgYN_Cwz4LuhoArSg-1; Thu, 20 Jun 2024 08:13:30 -0400 X-MC-Unique: 8LRo1MgYN_Cwz4LuhoArSg-1 Received: by mail-qt1-f200.google.com with SMTP id d75a77b69052e-43fb0a1c81eso8710621cf.3 for ; Thu, 20 Jun 2024 05:13:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718885610; x=1719490410; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=sAroDlgtsPgu9VcSCerq+jjWBN5fdolbEpkCZMBdEuc=; b=X1BJas60UTfSgFJkwViO66hZ+WVzix25HbOcSGJ4M1OJR58nVYDeMHnyK5dsDC14Ow WypKQdBMKj4M7ZDiPR+H/SL9+mjr3gVF/mOwNfT2uTVqGD61INs4mXJyiT2ct3+L4QQn F5jteDfE9dWHj1HlluzgZ3q2ECxUrqeopdV/JOybp2tq7I5ObaMJTJF1hC7Gjhn+TxSM fupkge+7KYtH4QdTvT6T4aBx4P3RW3LoT9tfaJIWD3AOVW0eeDcNAOBpj0mwZ9dXLNab /EoGSbQLlJeJHfzptkVcK6bcP/cDZkgTGiDKPMLYO+u0gS8/aMjOT0u4AE8ZvFi1LsMi vqAg== X-Forwarded-Encrypted: i=1; AJvYcCWxc3baFVSXm1EsreWXbDQbwTGhSnUbmFBkcFQJa8a7ah6CUNHnnYOOCPXXzbq5bW+rxqhHGaageR6Fl+0MIhwh1uyJ X-Gm-Message-State: AOJu0YzeVvppj0GoJb3Im/tzCUwK3hlHIy3qI2ES0Ub5kNJTU0MKtdLr Zm/CG91B30LaT+9laA4pFO9Ky/FcY3GHfGrO/hB+t5MSXy2wTk/hImz9q60xq6Nz5RTeKuerEjA fgTLK7DOGarBltQsx7Pyh1IGATqSZjf8hlp8NfgDsk6uUVePYWQ== X-Received: by 2002:ac8:7f4d:0:b0:440:60f3:733b with SMTP id d75a77b69052e-444a79ab957mr60235481cf.14.1718885610083; Thu, 20 Jun 2024 05:13:30 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEwE3PwvfR5nlsjlu8t5+AFr1ojKGY2OBgAxfsM23vb9LuPGOvC11lfazjJOazLKmHU7WXgoQ== X-Received: by 2002:ac8:7f4d:0:b0:440:60f3:733b with SMTP id d75a77b69052e-444a79ab957mr60235301cf.14.1718885609497; Thu, 20 Jun 2024 05:13:29 -0700 (PDT) Received: from maya.cloud.tilaa.com (maya.cloud.tilaa.com. [164.138.29.33]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-441ef3d8b57sm73906591cf.19.2024.06.20.05.13.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jun 2024 05:13:28 -0700 (PDT) Date: Thu, 20 Jun 2024 14:12:53 +0200 From: Stefano Brivio To: "Richard W.M. Jones" Subject: Re: [PATCH 7/8] conf, passt, tap: Open socket and PID files before switching UID/GID Message-ID: <20240620141253.7e6d3855@elisabeth> In-Reply-To: <20240620113054.GB1450@redhat.com> References: <20240522205911.261325-1-sbrivio@redhat.com> <20240522205911.261325-8-sbrivio@redhat.com> <20240620113054.GB1450@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: GYTM4HKANXRQ5DPQ6UCCDGER4UJITPGF X-Message-ID-Hash: GYTM4HKANXRQ5DPQ6UCCDGER4UJITPGF X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson , passt-dev@passt.top, Minxi Hou X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu, 20 Jun 2024 12:30:54 +0100 "Richard W.M. Jones" wrote: > On Wed, May 29, 2024 at 12:35:24PM +1000, David Gibson wrote: > > On Wed, May 22, 2024 at 10:59:10PM +0200, Stefano Brivio wrote: > > > Otherwise, if the user runs us as root, and gives us paths that are > > > only accessible by root, we'll fail to open them, which might in turn > > > encourage users to change permissions or ownerships: definitely a bad > > > idea in terms of security. > > > > > > Reported-by: Minxi Hou > > > Reported-by: Richard W.M. Jones > > > Signed-off-by: Stefano Brivio > > > > Looking at this I did notice a pre-existing, well, maybe not bug > > exactly, but possibly surprising behaviour, which makes me a > > bit more nervous now that we can invoke it as root. > > > > tap_sock_unix_open() will silently truncate the given socket path to > > the maximum length for a Unix socket. Which means we could bind(), > > but also unlink() a path that's not exactly the same as the one the > > one the user requested. I don't immediately see a way to exploit > > that, but it's the sort of thing that makes me nervous. I think we > > should instead outright fail if the given socket path is too long. > > Yes, agreed. > > It seems as if the latest passt code still does this. Do you want me > to open a bug about it? Yes, please, that, or a patch :) -- Stefano