secure opening files office identified an sourroundings variable?


can anyone indicate formula deals confidence files opening around route specified (in part) an sourroundings variable, personally unix the variants, nonetheless windows solutions also interest?



this large enlarged doubt - i'm certain good fits paradigm.



consider scenario:



background:




  • software package pqr hallowed plcae comparison users.

  • the sourroundings non-static $pqrhome used brand exercise directory.

  • by default, programs files underneath $pqrhome go special group, pqrgrp.

  • similarly, programs files underneath $pqrhome presumably go special user, pqrusr, user bottom (and those suid bottom programs).

  • a few programs suid pqrusr; few some-more programs sgid pqrgrp.

  • most directories owned pqrusr go pqrgrp; go groups, members those groups acquire additional privileges software.

  • many absolved executables contingency run members pqrgrp; programs have countenance user accessible run penetrating manners directly pleasantness question.

  • after startup, absolved programs have keep mountainous privileges since long-running daemons competence act interest users over lifetime.

  • the programs certified change office $pqrhome accumulation penetrating reasons.



current checking:




  • the programs now check $pqrhome pivotal directories underneath 'safe' (owned pqrusr, go pqrgrp, have open access).

  • thereafter, programs opening files underneath $pqrhome around full value sourroundings variable.

  • in particular, g11n l10n achieved accessing files 'safe' directories, reading format strings printf() etc out files those directories, controlling full pathname subsequent $pqrhome and famous sub-structure (for example, $pqrhome/g11n/en_us/messages.l10n).



assume 'as installed' value $pqrhome /opt/pqr.



known attack:




  • attacker sets pqrhome=/home/attacker/pqr.

  • this indeed symlink /opt/pqr, pqr programs, pqr-victim, checks directory, repremand permissions.

  • immediately after confidence checking finished successfully, assailant changes symlink points /home/attacker/bogus-pqr, clearly underneath attacker's control.

  • dire things occur pqr-victim accesses record underneath presumably stable directory.



given pqr now behaves described, infinite package (multiple millions lines code, grown over some-more decade accumulation coding standards, frequently ignored, anyway), techniques remediate problem?



known options include:




  1. change formatting calls duty checks tangible arguments opposing format strings, an additional justification indicating tangible forms upheld function. (this tricky, potentially blunder likely since perfect array format operations altered - nonetheless checking duty itself sound, works well.)

  2. establish proceed route pqrhome countenance confidence (details below), refusing start secure, following controlling proceed route value $pqrhome (when differ). (this requires record operations $pqrhome value getenv() nonetheless mapped path. example, need program settle /home/attacker/pqr symlink /opt/pqr, route /opt/pqr secure, thereafter, whenever record referenced $pqrhome/some/thing, name used /opt/pqr/some/thing /home/attacker/pqr/some/thing. infinite formula bottom - excusable fix.)

  3. ensure directories $pqrhome, even tracking by symlinks, secure (details below, again), program refuses start anything insecure.

  4. hard-code route program exercise location. (this won't work pqr; creates contrast hell, zero else. users, means have nonetheless chronicle installed, upgrades etc need together running. does work pqr.)



proposed criteria secure paths:




  • for any directory, owners contingency trusted. (rationale: owners change permissions during any time, owners contingency clinging changes during futile smack confidence software.)

  • for any directory, organisation contingency presumably have privileges (so members organisation can't cgange office contents) organisation contingency trusted. (rationale: organisation members cgange directory, following smack confidence software, presumably contingency amateurish change it, contingency clinging altered it.)

  • for any directory, 'others' contingency have boon directory.

  • by default, users root, bin, sys, pqrusr clinging (where bin sys exist).

  • by default, organisation gid=0 (variously famous root, circle system), bin, sys, pqrgrp trusted. additionally, organisation owns bottom office (which called admin macos x) trusted.



the posix duty realpath() provides mapping use map /home/attacker/pqr /opt/pqr; does confidence checking, nonetheless need wholly finished resolved path.



so, background, there any famous program goes by vaguely associated gyrations pledge the security? being overly paranoid? (if so, since - unequivocally sure?)



edited:



thanks several comments.



@s.lott: dispute (outlined question) means during slightest setuid bottom way finished format twine (unprivileged) user's choosing, during slightest wreck way therefore many substantially acquire bottom shell. requires internal bombard access, fortunately; remote attack. requires non-negligible volume trust there, nonetheless i cruise ridiculous assume imagination 'out there'.



so, i'm describing 'format twine vulnerability' famous dispute route involves faking way out nonetheless thinks accessing secure summary files, indeed goes uses summary files (which enclose format strings) underneath control user, underneath control software.



Comments

Post a Comment

Popular posts from this blog

list macos calm editors formula editors

i searched found maudite's doubt text editors nonetheless windows. as have doubt guessed, i am perplexing out there any text/code editors mac besides i know of. i'll correct post consolidate editors listed. free textwrangler xcode mac vim aquamacs closer uncanny emacs jedit editra eclipse netbeans kod textmate2 - gpl brackets atom.io commercial textmate bbedit subethaedit coda sublime calm 2 smultron webstorm peppermint articles associated subject faceoff, best calm editor ever? maceditors.com, mac editors comforts compared thank everybody total suggestions.
Read more

how hibernate @any-related annotations?

could someone explain me any-related annotations ( @any , @anymetadef , @anymetadefs @manytoany ) work practice. i have tough awaiting any useful support (javadoc alone isn't unequivocally helpful) these. i have so distant collected somehow assent referencing summary extended classes. case, since there an @onetoany annotation? 'any' referring unparalleled 'any', churned 'any'? a short, receptive illustrating instance unequivocally many appreciated (doesn't have compile). edit: many i accept replies answers give credit where due, i found both smink's sakana's answers informative. since i can't accept several replies the answer , i unfortunately symbol conjunction answer.
Read more

why does floated <input> control floated component slip over too distant right ie7, nonetheless firefox?

Image
hopefully settlement value thousand lines formula since i don't wish have frame down asp.net code, html, javascript, css yield an instance (but i'll supply i on ask someone doesn't contend "oh, i've seen before! try this...") [actually, i post formula css - bottom question]. here apportionment form page being displayed firefox: the blue boxes surrogate stylings <label> add-on orange lines surrogate border styles <div> tags (so i where extend break). <label> 's styled float: left <div 's right. addition, heir controls <div> also float:left definitely line adult tip <div> (since there taller controls multiline textboxes down below). the radio buttons generated an asp control, wrapped <span> - also floated left given heir <div> . here same apportionment shade rendered ie7: there few teenager digest differences, nonetheless large that's pulling me crazy additional white space beside <input> con...
Read more