|
|
a60cd7 |
From a4e47c753e9d7988f4d938ed2e0fd690a909ce68 Mon Sep 17 00:00:00 2001
|
|
|
a60cd7 |
From: Jakub Filak <jfilak@redhat.com>
|
|
|
a60cd7 |
Date: Mon, 20 Apr 2015 15:15:40 +0200
|
|
|
a60cd7 |
Subject: [ABRT PATCH] upload: validate and sanitize uploaded dump directories
|
|
|
a60cd7 |
|
|
|
a60cd7 |
It was discovered that, when moving problem reports from
|
|
|
a60cd7 |
/var/spool/abrt-upload to /var/spool/abrt or /var/tmp/abrt,
|
|
|
a60cd7 |
abrt-handle-upload does not verify that the new problem directory
|
|
|
a60cd7 |
has appropriate permissions and does not contain symbolic links. A
|
|
|
a60cd7 |
crafted problem report exposes other parts of abrt to attack, and
|
|
|
a60cd7 |
the abrt-handle-upload script allows to overwrite arbitrary files.
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Acknowledgement:
|
|
|
a60cd7 |
|
|
|
a60cd7 |
This issue was discovered by Florian Weimer of Red Hat Product Security.
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Related: #1212953
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Signed-off-by: Jakub Filak <jfilak@redhat.com>
|
|
|
a60cd7 |
---
|
|
|
a60cd7 |
src/daemon/abrt-handle-upload.in | 78 +++++++++++++++++++++++++++++++++++-----
|
|
|
a60cd7 |
1 file changed, 70 insertions(+), 8 deletions(-)
|
|
|
a60cd7 |
|
|
|
a60cd7 |
diff --git a/src/daemon/abrt-handle-upload.in b/src/daemon/abrt-handle-upload.in
|
|
|
a60cd7 |
index dbc4534..7720da4 100755
|
|
|
a60cd7 |
--- a/src/daemon/abrt-handle-upload.in
|
|
|
a60cd7 |
+++ b/src/daemon/abrt-handle-upload.in
|
|
|
a60cd7 |
@@ -10,6 +10,7 @@ import getopt
|
|
|
a60cd7 |
import tempfile
|
|
|
a60cd7 |
import shutil
|
|
|
a60cd7 |
import datetime
|
|
|
a60cd7 |
+import grp
|
|
|
a60cd7 |
|
|
|
a60cd7 |
from reportclient import set_verbosity, error_msg_and_die, error_msg, log
|
|
|
a60cd7 |
|
|
|
a60cd7 |
@@ -36,12 +37,77 @@ def init_gettext():
|
|
|
a60cd7 |
|
|
|
a60cd7 |
import problem
|
|
|
a60cd7 |
|
|
|
a60cd7 |
-def write_str_to(filename, s):
|
|
|
a60cd7 |
- fd = os.open(filename, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, @DEFAULT_DUMP_DIR_MODE@ | stat.S_IROTH)
|
|
|
a60cd7 |
+def write_str_to(filename, s, uid, gid, mode):
|
|
|
a60cd7 |
+ fd = os.open(filename, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, mode)
|
|
|
a60cd7 |
if fd >= 0:
|
|
|
a60cd7 |
+ os.fchown(fd, uid, gid)
|
|
|
a60cd7 |
os.write(fd, s)
|
|
|
a60cd7 |
os.close(fd)
|
|
|
a60cd7 |
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+def validate_transform_move_and_notify(uploaded_dir_path, problem_dir_path, dest=None):
|
|
|
a60cd7 |
+ fsuid = 0
|
|
|
a60cd7 |
+ fsgid = 0
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ try:
|
|
|
a60cd7 |
+ gabrt = grp.getgrnam("abrt")
|
|
|
a60cd7 |
+ fsgid = gabrt.gr_gid
|
|
|
a60cd7 |
+ except KeyError as ex:
|
|
|
a60cd7 |
+ error_msg("Failed to get GID of 'abrt' (using 0 instead): {0}'".format(str(ex)))
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ try:
|
|
|
a60cd7 |
+ # give the uploaded directory to 'root:abrt' or 'root:root'
|
|
|
a60cd7 |
+ os.chown(uploaded_dir_path, fsuid, fsgid)
|
|
|
a60cd7 |
+ # set the right permissions for this machine
|
|
|
a60cd7 |
+ # (allow the owner and the group to access problem elements,
|
|
|
a60cd7 |
+ # the default dump dir mode lacks x bit for both)
|
|
|
a60cd7 |
+ os.chmod(uploaded_dir_path, @DEFAULT_DUMP_DIR_MODE@ | stat.S_IXUSR | stat.S_IXGRP)
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ # sanitize problem elements
|
|
|
a60cd7 |
+ for item in os.listdir(uploaded_dir_path):
|
|
|
a60cd7 |
+ apath = os.path.join(uploaded_dir_path, item)
|
|
|
a60cd7 |
+ if os.path.islink(apath):
|
|
|
a60cd7 |
+ # remove symbolic links
|
|
|
a60cd7 |
+ os.remove(apath)
|
|
|
a60cd7 |
+ elif os.path.isdir(apath):
|
|
|
a60cd7 |
+ # remove directories
|
|
|
a60cd7 |
+ shutil.rmtree(apath)
|
|
|
a60cd7 |
+ elif os.path.isfile(apath):
|
|
|
a60cd7 |
+ # set file ownership to 'root:abrt' or 'root:root'
|
|
|
a60cd7 |
+ os.chown(apath, fsuid, fsgid)
|
|
|
a60cd7 |
+ # set the right file permissions for this machine
|
|
|
a60cd7 |
+ os.chmod(apath, @DEFAULT_DUMP_DIR_MODE@)
|
|
|
a60cd7 |
+ else:
|
|
|
a60cd7 |
+ # remove things that are neither files, symlinks nor directories
|
|
|
a60cd7 |
+ os.remove(apath)
|
|
|
a60cd7 |
+ except OSError as ex:
|
|
|
a60cd7 |
+ error_msg("Removing uploaded dir '{0}': '{1}'".format(uploaded_dir_path, str(ex)))
|
|
|
a60cd7 |
+ try:
|
|
|
a60cd7 |
+ shutil.rmtree(uploaded_dir_path)
|
|
|
a60cd7 |
+ except OSError as ex2:
|
|
|
a60cd7 |
+ error_msg_and_die("Failed to clean up dir '{0}': '{1}'".format(uploaded_dir_path, str(ex2)))
|
|
|
a60cd7 |
+ return
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ # overwrite remote if it exists
|
|
|
a60cd7 |
+ remote_path = os.path.join(uploaded_dir_path, "remote")
|
|
|
a60cd7 |
+ write_str_to(remote_path, "1", fsuid, fsgid, @DEFAULT_DUMP_DIR_MODE@)
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ # abrtd would increment count value and abrt-server refuses to process
|
|
|
a60cd7 |
+ # problem directories containing 'count' element when PrivateReports is on.
|
|
|
a60cd7 |
+ count_path = os.path.join(uploaded_dir_path, "count")
|
|
|
a60cd7 |
+ if os.path.exists(count_path):
|
|
|
a60cd7 |
+ # overwrite remote_count if it exists
|
|
|
a60cd7 |
+ remote_count_path = os.path.join(uploaded_dir_path, "remote_count")
|
|
|
a60cd7 |
+ os.rename(count_path, remote_count_path)
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if not dest:
|
|
|
a60cd7 |
+ dest = problem_dir_path
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ shutil.move(uploaded_dir_path, dest)
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ problem.notify_new_path(problem_dir_path)
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
if __name__ == "__main__":
|
|
|
a60cd7 |
|
|
|
a60cd7 |
# Helper: exit with cleanup
|
|
|
a60cd7 |
@@ -177,21 +243,17 @@ if __name__ == "__main__":
|
|
|
a60cd7 |
# or one or more complete problem data directories.
|
|
|
a60cd7 |
# Checking second possibility first.
|
|
|
a60cd7 |
if os.path.exists(tempdir+"/analyzer") and os.path.exists(tempdir+"/time"):
|
|
|
a60cd7 |
- write_str_to(tempdir+"/remote", "1")
|
|
|
a60cd7 |
- shutil.move(tempdir, abrt_dir)
|
|
|
a60cd7 |
- problem.notify_new_path(abrt_dir+"/"+os.path.basename(tempdir))
|
|
|
a60cd7 |
+ validate_transform_move_and_notify(tempdir, abrt_dir+"/"+os.path.basename(tempdir), dest=abrt_dir)
|
|
|
a60cd7 |
else:
|
|
|
a60cd7 |
for d in os.listdir(tempdir):
|
|
|
a60cd7 |
if not os.path.isdir(tempdir+"/"+d):
|
|
|
a60cd7 |
continue
|
|
|
a60cd7 |
- write_str_to(tempdir+"/"+d+"/remote", "1")
|
|
|
a60cd7 |
dst = abrt_dir+"/"+d
|
|
|
a60cd7 |
if os.path.exists(dst):
|
|
|
a60cd7 |
dst += "."+str(os.getpid())
|
|
|
a60cd7 |
if os.path.exists(dst):
|
|
|
a60cd7 |
continue
|
|
|
a60cd7 |
- shutil.move(tempdir+"/"+d, dst)
|
|
|
a60cd7 |
- problem.notify_new_path(dst)
|
|
|
a60cd7 |
+ validate_transform_move_and_notify(tempdir+"/"+d, dst)
|
|
|
a60cd7 |
|
|
|
a60cd7 |
die_exitcode = 0
|
|
|
a60cd7 |
# This deletes working_dir (== delete_on_exit)
|
|
|
a60cd7 |
--
|
|
|
a60cd7 |
1.8.3.1
|
|
|
a60cd7 |
|