On Mon, May 29, 2023 at 11:45:33AM -0700, Richard Doyle via Dng wrote:
> Setting fs.protected_regular=2, as seems to be the default in Devuan
> Chimaera, can have interesting effects:
> richard@prost:~$ touch /tmp/somefile
> richard@prost:~$ su
> Password:
> root@prost:/home/richard# ls -al /tmp/
> total 20
> drwxrwxrwt 3 root root 4096 May 29 10:47 .
> drwxr-xr-x 22 root root 4096 May 17 10:55 ..
> drwxrwxrwt 2 root root 4096 May 16 16:54 .ICE-unix
> -rw-r--r-- 1 richard richard 0 May 29 10:47 somefile
> drwxrwxrwt 2 root root 4096 May 16 16:54 .X11-unix
> root@prost:/home/richard# echo "stuff" > /tmp/somefile
> bash: /tmp/somefile: Permission denied
> Huh? I can create a file in /tmp as a normal user that root cannot
> modify. This surprises me, and I suspect it might surprise software
> running on my systems.
While protected_symlinks and protected_hardlinks *probably* protects
us, this is not something we want to do habitually. ie. before those
two settings were available and on by default, richard may have been
able to replace somefile by a symlink to /etc/passwd before root got
to do the echo. But even now, if root wants to do something more complex
(run vim) and richard knows a vulnerability, there is trouble.
The canonical reference for these matters:
https://openwall.info/wiki/internal/accessing-users-files-as-root-safely
In fact I have a couple of scripts that do the job of the "take" and
"give" hypotethically referenced there.
--
Ian