|
 |
a60cd7 |
From 7814554e0827ece778ca88fd90832bd4d05520b1 Mon Sep 17 00:00:00 2001
|
|
|
a60cd7 |
From: Jakub Filak <jfilak@redhat.com>
|
|
|
a60cd7 |
Date: Fri, 24 Apr 2015 13:48:32 +0200
|
|
|
a60cd7 |
Subject: [ABRT PATCH] dbus: avoid race-conditions in tests for dum dir
|
|
|
a60cd7 |
availability
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Florian Weimer <fweimer@redhat.com>
|
|
|
a60cd7 |
|
|
|
a60cd7 |
dump_dir_accessible_by_uid() is fundamentally insecure because it
|
|
|
a60cd7 |
opens up a classic time-of-check-time-of-use race between this
|
|
|
a60cd7 |
function and and dd_opendir().
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Related: #1214745
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Signed-off-by: Jakub Filak <jfilak@redhat.com>
|
|
|
a60cd7 |
---
|
|
|
a60cd7 |
src/dbus/abrt-dbus.c | 66 ++++++++++++++++++++++++++++++++++++++++++++-------
|
|
|
a60cd7 |
src/lib/problem_api.c | 15 ++++++++++--
|
|
|
a60cd7 |
2 files changed, 71 insertions(+), 10 deletions(-)
|
|
|
a60cd7 |
|
|
|
a60cd7 |
diff --git a/src/dbus/abrt-dbus.c b/src/dbus/abrt-dbus.c
|
|
|
a60cd7 |
index 7400dff..9e1844a 100644
|
|
|
a60cd7 |
--- a/src/dbus/abrt-dbus.c
|
|
|
a60cd7 |
+++ b/src/dbus/abrt-dbus.c
|
|
|
a60cd7 |
@@ -245,7 +245,15 @@ static struct dump_dir *open_directory_for_modification_of_element(
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
- if (!dump_dir_accessible_by_uid(problem_id, caller_uid))
|
|
|
a60cd7 |
+ int dir_fd = dd_openfd(problem_id);
|
|
|
a60cd7 |
+ if (dir_fd < 0)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ perror_msg("can't open problem directory '%s'", problem_id);
|
|
|
a60cd7 |
+ return_InvalidProblemDir_error(invocation, problem_id);
|
|
|
a60cd7 |
+ return NULL;
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if (!fdump_dir_accessible_by_uid(dir_fd, caller_uid))
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
if (errno == ENOTDIR)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
@@ -260,10 +268,11 @@ static struct dump_dir *open_directory_for_modification_of_element(
|
|
|
a60cd7 |
_("Not Authorized"));
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
+ close(dir_fd);
|
|
|
a60cd7 |
return NULL;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
- struct dump_dir *dd = dd_opendir(problem_id, /* flags : */ 0);
|
|
|
a60cd7 |
+ struct dump_dir *dd = dd_fdopendir(dir_fd, problem_id, /* flags : */ 0);
|
|
|
a60cd7 |
if (!dd)
|
|
|
a60cd7 |
{ /* This should not happen because of the access check above */
|
|
|
a60cd7 |
log_notice("Can't access the problem '%s' for modification", problem_id);
|
|
|
a60cd7 |
@@ -429,7 +438,15 @@ static void handle_method_call(GDBusConnection *connection,
|
|
|
a60cd7 |
return;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
- int ddstat = dump_dir_stat_for_uid(problem_dir, caller_uid);
|
|
|
a60cd7 |
+ int dir_fd = dd_openfd(problem_dir);
|
|
|
a60cd7 |
+ if (dir_fd < 0)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ perror_msg("can't open problem directory '%s'", problem_dir);
|
|
|
a60cd7 |
+ return_InvalidProblemDir_error(invocation, problem_dir);
|
|
|
a60cd7 |
+ return;
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ int ddstat = fdump_dir_stat_for_uid(dir_fd, caller_uid);
|
|
|
a60cd7 |
if (ddstat < 0)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
if (errno == ENOTDIR)
|
|
|
a60cd7 |
@@ -443,6 +460,7 @@ static void handle_method_call(GDBusConnection *connection,
|
|
|
a60cd7 |
|
|
|
a60cd7 |
return_InvalidProblemDir_error(invocation, problem_dir);
|
|
|
a60cd7 |
|
|
|
a60cd7 |
+ close(dir_fd);
|
|
|
a60cd7 |
return;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
@@ -450,6 +468,7 @@ static void handle_method_call(GDBusConnection *connection,
|
|
|
a60cd7 |
{ //caller seems to be in group with access to this dir, so no action needed
|
|
|
a60cd7 |
log_notice("caller has access to the requested directory %s", problem_dir);
|
|
|
a60cd7 |
g_dbus_method_invocation_return_value(invocation, NULL);
|
|
|
a60cd7 |
+ close(dir_fd);
|
|
|
a60cd7 |
return;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
@@ -460,10 +479,11 @@ static void handle_method_call(GDBusConnection *connection,
|
|
|
a60cd7 |
g_dbus_method_invocation_return_dbus_error(invocation,
|
|
|
a60cd7 |
"org.freedesktop.problems.AuthFailure",
|
|
|
a60cd7 |
_("Not Authorized"));
|
|
|
a60cd7 |
+ close(dir_fd);
|
|
|
a60cd7 |
return;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
- struct dump_dir *dd = dd_opendir(problem_dir, DD_OPEN_READONLY | DD_FAIL_QUIETLY_EACCES);
|
|
|
a60cd7 |
+ struct dump_dir *dd = dd_fdopendir(dir_fd, problem_dir, DD_OPEN_READONLY | DD_FAIL_QUIETLY_EACCES);
|
|
|
a60cd7 |
if (!dd)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
return_InvalidProblemDir_error(invocation, problem_dir);
|
|
|
a60cd7 |
@@ -497,12 +517,21 @@ static void handle_method_call(GDBusConnection *connection,
|
|
|
a60cd7 |
return;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
- if (!dump_dir_accessible_by_uid(problem_dir, caller_uid))
|
|
|
a60cd7 |
+ int dir_fd = dd_openfd(problem_dir);
|
|
|
a60cd7 |
+ if (dir_fd < 0)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ perror_msg("can't open problem directory '%s'", problem_dir);
|
|
|
a60cd7 |
+ return_InvalidProblemDir_error(invocation, problem_dir);
|
|
|
a60cd7 |
+ return;
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if (!fdump_dir_accessible_by_uid(dir_fd, caller_uid))
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
if (errno == ENOTDIR)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
log_notice("Requested directory does not exist '%s'", problem_dir);
|
|
|
a60cd7 |
return_InvalidProblemDir_error(invocation, problem_dir);
|
|
|
a60cd7 |
+ close(dir_fd);
|
|
|
a60cd7 |
return;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
@@ -512,11 +541,12 @@ static void handle_method_call(GDBusConnection *connection,
|
|
|
a60cd7 |
g_dbus_method_invocation_return_dbus_error(invocation,
|
|
|
a60cd7 |
"org.freedesktop.problems.AuthFailure",
|
|
|
a60cd7 |
_("Not Authorized"));
|
|
|
a60cd7 |
+ close(dir_fd);
|
|
|
a60cd7 |
return;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
- struct dump_dir *dd = dd_opendir(problem_dir, DD_OPEN_READONLY | DD_FAIL_QUIETLY_EACCES);
|
|
|
a60cd7 |
+ struct dump_dir *dd = dd_fdopendir(dir_fd, problem_dir, DD_OPEN_READONLY | DD_FAIL_QUIETLY_EACCES);
|
|
|
a60cd7 |
if (!dd)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
return_InvalidProblemDir_error(invocation, problem_dir);
|
|
|
a60cd7 |
@@ -677,20 +707,40 @@ static void handle_method_call(GDBusConnection *connection,
|
|
|
a60cd7 |
for (GList *l = problem_dirs; l; l = l->next)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
const char *dir_name = (const char*)l->data;
|
|
|
a60cd7 |
- if (!dump_dir_accessible_by_uid(dir_name, caller_uid))
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ int dir_fd = dd_openfd(dir_name);
|
|
|
a60cd7 |
+ if (dir_fd < 0)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ perror_msg("can't open problem directory '%s'", dir_name);
|
|
|
a60cd7 |
+ return_InvalidProblemDir_error(invocation, dir_name);
|
|
|
a60cd7 |
+ return;
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if (!fdump_dir_accessible_by_uid(dir_fd, caller_uid))
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
if (errno == ENOTDIR)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
log_notice("Requested directory does not exist '%s'", dir_name);
|
|
|
a60cd7 |
+ close(dir_fd);
|
|
|
a60cd7 |
continue;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
if (polkit_check_authorization_dname(caller, "org.freedesktop.problems.getall") != PolkitYes)
|
|
|
a60cd7 |
{ // if user didn't provide correct credentials, just move to the next dir
|
|
|
a60cd7 |
+ close(dir_fd);
|
|
|
a60cd7 |
continue;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
- delete_dump_dir(dir_name);
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ struct dump_dir *dd = dd_fdopendir(dir_fd, dir_name, /*flags:*/ 0);
|
|
|
a60cd7 |
+ if (dd)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ if (dd_delete(dd) != 0)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ error_msg("Failed to delete problem directory '%s'", dir_name);
|
|
|
a60cd7 |
+ dd_close(dd);
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
g_dbus_method_invocation_return_value(invocation, NULL);
|
|
|
a60cd7 |
diff --git a/src/lib/problem_api.c b/src/lib/problem_api.c
|
|
|
a60cd7 |
index c2b4b1c..b343882 100644
|
|
|
a60cd7 |
--- a/src/lib/problem_api.c
|
|
|
a60cd7 |
+++ b/src/lib/problem_api.c
|
|
|
a60cd7 |
@@ -46,7 +46,15 @@ int for_each_problem_in_dir(const char *path,
|
|
|
a60cd7 |
continue; /* skip "." and ".." */
|
|
|
a60cd7 |
|
|
|
a60cd7 |
char *full_name = concat_path_file(path, dent->d_name);
|
|
|
a60cd7 |
- if (caller_uid == -1 || dump_dir_accessible_by_uid(full_name, caller_uid))
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ int dir_fd = dd_openfd(full_name);
|
|
|
a60cd7 |
+ if (dir_fd < 0)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ VERB2 perror_msg("can't open problem directory '%s'", full_name);
|
|
|
a60cd7 |
+ continue;
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if (caller_uid == -1 || fdump_dir_accessible_by_uid(dir_fd, caller_uid))
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
/* Silently ignore *any* errors, not only EACCES.
|
|
|
a60cd7 |
* We saw "lock file is locked by process PID" error
|
|
|
a60cd7 |
@@ -54,7 +62,7 @@ int for_each_problem_in_dir(const char *path,
|
|
|
a60cd7 |
*/
|
|
|
a60cd7 |
int sv_logmode = logmode;
|
|
|
a60cd7 |
logmode = 0;
|
|
|
a60cd7 |
- struct dump_dir *dd = dd_opendir(full_name, DD_OPEN_READONLY | DD_FAIL_QUIETLY_EACCES | DD_DONT_WAIT_FOR_LOCK);
|
|
|
a60cd7 |
+ struct dump_dir *dd = dd_fdopendir(dir_fd, full_name, DD_OPEN_READONLY | DD_FAIL_QUIETLY_EACCES | DD_DONT_WAIT_FOR_LOCK);
|
|
|
a60cd7 |
logmode = sv_logmode;
|
|
|
a60cd7 |
if (dd)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
@@ -62,6 +70,9 @@ int for_each_problem_in_dir(const char *path,
|
|
|
a60cd7 |
dd_close(dd);
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
+ else
|
|
|
a60cd7 |
+ close(dir_fd);
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
free(full_name);
|
|
|
a60cd7 |
if (brk)
|
|
|
a60cd7 |
break;
|
|
|
a60cd7 |
--
|
|
|
a60cd7 |
1.8.3.1
|
|
|
a60cd7 |
|