Hi Stephen-- On Thu 2019-08-29 23:18:53 +0200, Stephen Kitt wrote:
> Thanks for taking an interest in this, I’ve often wondered if I’d got my
> analysis right...
thanks for taking another look at this with me.
> But all this happens inside $tempdir, which is root:root 700. If anyone can
> race there, or read files, we’ve lost already, haven’t we? And if they can’t,
> then we’re safe, at least until we copy the files elsewhere — and I think at
> this point we’re sure the files can only match the contents of the archives we
> unpack.
ok, that's certainly an improved argument for why it doesn't matter as
much, compared to the lintian-override :)
But from a defense in depth scenario, it'd still be much nicer to not
worry about this stuff happening at all :/ For example, what if there
is a bug in the network fetching or archive extraction tools?
> The scenario I was thinking of when I wrote my comment was the issue of
> suid/sgid binaries, since those could be stored in the archives we extract.
> But even then, I don’t think there would be a way of exploiting them even if
> the chown happened before the chmods, and in any case the archives are
> extracted without preserving permissions...
Is there a reason that the archives need to be fetched and extracted as
the superuser in the first place? if all that work was done by a
non-privileged user, then there'd be no chance of the files being
suid/sgid even if there was a heinous bug in the extractor, because the
kernel wouldn't let that happen.
Then you could ignore the chown, and just ensure that the files are
world-readable in the normal way.
--dkg
signature.asc
Description: PGP signature
