From 88cd3ff7eb57330a13dda051c0ab2cb65121c145 Mon Sep 17 00:00:00 2001 From: Juan RP Date: Wed, 6 Jul 2011 17:00:59 +0200 Subject: [PATCH] xbps-src: improved xbps-src-chroot-capmount helper. The new code now has some security enhancements that only allows to bind mount a filesystem when the user executing the process owns the target directory and has read/write permissions on it. --- xbps-src/libexec/mount.c | 57 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 53 insertions(+), 4 deletions(-) diff --git a/xbps-src/libexec/mount.c b/xbps-src/libexec/mount.c index 6af66e8fd0f..1c6d0639636 100644 --- a/xbps-src/libexec/mount.c +++ b/xbps-src/libexec/mount.c @@ -1,8 +1,36 @@ +/*- + * Copyright (c) 2010-2011 Juan Romero Pardines. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + /* * Bind mounts a filesystem mountpoint into the target directory, - * by using the CAP_SYS_ADMIN capability set on the file. + * by using the CAP_SYS_ADMIN capability set on the program. * - * Juan RP - 2010/04/26 - Public Domain. + * Only mounts are possible when user running the process owns + * the target directory and has read/write permission on it. + * + * Mounts are also mounted with nosuid for security meassures. */ #include #include @@ -11,12 +39,15 @@ #include #include #include +#include #include +#define _PROGNAME "xbps-src-chroot-capmount" + void usage(void) { - fprintf(stderr, "Usage: xbps-src-capbmount [-w] \n"); + fprintf(stderr, "Usage: %s [-w] \n", _PROGNAME); exit(EXIT_FAILURE); } @@ -25,6 +56,7 @@ main(int argc, char **argv) { cap_t cap; cap_flag_value_t effective, permitted; + struct stat st; unsigned long flags; int c, rv; bool dowrite = false; @@ -63,10 +95,27 @@ main(int argc, char **argv) } cap_free(cap); - flags = MS_BIND; + /* + * Bind mount with nosuid. + */ + flags = MS_BIND | MS_NOSUID; if (!dowrite) flags |= MS_RDONLY; + /* + * Check that uid/gid owns the dir and has rx perms on it. + */ + if (stat(argv[1], &st) == -1) { + fprintf(stderr, "ERROR: stat() on %s: %s\n", + argv[1], strerror(errno)); + exit(EXIT_FAILURE); + } + if ((st.st_uid != getuid()) && (st.st_gid != getgid()) && + (st.st_mode & (S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP))) { + fprintf(stderr, "ERROR: wrong permissions on %s!\n", argv[1]); + exit(EXIT_FAILURE); + } + rv = mount(argv[0], argv[1], "none", flags, NULL); if (rv != 0) { fprintf(stderr, "E: cannot mount %s into %s: %s\n", argv[0],