[Mooix] VServer patch
Robin Lee Powell
rlpowell at digitalkingdom.org
Mon Oct 3 18:54:00 GMT 2005
This change makes the tty session object's tty field be a symlink,
instead of having mooix-pty-helper.pl do a cp -a of the tty device.
It also allows the following of symlinks in mood's patched open()
call, but *only* if the file being requested is itself a symlink
*and* is owned by root.
The reason for this is that a cp of a device file is equivalent to
an mknod() call, and those aren't allowd in VServer cages (since
allowing them means root can break the cage).
The patch below, along with some instructions I'll post shortly,
allows mooix to run in a VServer cage at regular system speeds, but
with lots of security, and not fucking up your /etc/passwd file.
It's snazzy.
-Robin
diff -C 3 -r mooix/mood/proxy.c mooix_working/mood/proxy.c
*** mooix/mood/proxy.c Tue Sep 9 15:31:06 2003
--- mooix_working/mood/proxy.c Mon Oct 3 11:28:28 2005
***************
*** 535,544 ****
/* Only proxy opening of files that are in this object. */
rassert(is_object_file(filename));
if (can_open(info, filename, flags, mode)) {
umask(0); // mode already modified by caller's umask
errno = 0;
! /* O_NOFOLLOW closes many potential symlink attacks */
! fd = open(filename, flags | O_NOFOLLOW, mode);
}
result(client, fd, errno);
if (fd != -1) {
--- 535,560 ----
/* Only proxy opening of files that are in this object. */
rassert(is_object_file(filename));
if (can_open(info, filename, flags, mode)) {
+ struct stat buf;
+
umask(0); // mode already modified by caller's umask
errno = 0;
! rassert( lstat(filename, &buf) == 0 );
! /* O_NOFOLLOW closes many potential symlink attacks
! * However, secured systems don't allow mknod,
! * which means we need to symlink to users'
! * ttys, so we allow root symlinks.
! * */
! if( buf.st_uid == 0 && S_ISLNK(buf.st_mode) )
! {
! /* We have a symlink owned by root; explicitely
! * turn off O_NOFOLLOW
! * */
! fd = open(filename, flags &~ O_NOFOLLOW, mode);
! } else {
! /* O_NOFOLLOW closes many potential symlink attacks */
! fd = open(filename, flags | O_NOFOLLOW, mode);
! }
}
result(client, fd, errno);
if (fd != -1) {
diff -C 3 -r mooix/utils/mooix-pty-helper.pl mooix_working/utils/mooix-pty-helper.pl
*** mooix/utils/mooix-pty-helper.pl Fri Aug 29 20:00:19 2003
--- mooix_working/utils/mooix-pty-helper.pl Mon Oct 3 11:52:19 2005
***************
*** 61,73 ****
}
my $dest=$session->id."/tty";
! # TODO something a mite more portable.. mknod?
! if (system("cp", "-a", $tty, $dest) != 0) {
! die("Unable to copy $tty to $dest; perhaps that directory is mounted nodev?");
}
! # The tty must be owned by the mooadmin, and group writable (so ttysession
! # methods can always read/write it).
! chown($uid, -1, $dest) || die "chown $dest: $!";
! chmod(0664, $dest) || die "chmod $dest: $!";
exit 0;
--- 61,73 ----
}
my $dest=$session->id."/tty";
!
! if (system("ln", "-s", $tty, $dest) != 0) {
! die("Unable to copy $tty to $dest; perhaps that directory is mounted nodev?");
}
! # The tty must be owned by the mooadmin, and group writable (so
! # ttysession methods can always read/write it).
! chown($uid, -1, $tty) || die "chown $dest: $!";
! chmod(0664, $tty) || die "chmod $dest: $!";
exit 0;
More information about the Mooix
mailing list