From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Wed, 27 Dec 2023 14:01:59 +0100 Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs being placed in user controlled directories, causing the PAM module to block indefinitely during `openat()`. Pass O_DIRECTORY to cause the `openat()` to fail if the path does not refer to a directory. With this the check whether the final path element is a directory becomes unnecessary, drop it. --- modules/pam_namespace/pam_namespace.c | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 2528cff8..f72d6718 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int dfd = AT_FDCWD; int dfd_next; int save_errno; - int flags = O_RDONLY; + int flags = O_RDONLY | O_DIRECTORY; int rv = -1; struct stat st; @@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, rv = openat(dfd, dir, flags); } - if (rv != -1) { - if (fstat(rv, &st) != 0) { - save_errno = errno; - close(rv); - rv = -1; - errno = save_errno; - goto error; - } - if (!S_ISDIR(st.st_mode)) { - close(rv); - errno = ENOTDIR; - rv = -1; - goto error; - } - } - if (flags & O_NOFOLLOW) { /* we are inside user-owned dir - protect */ if (protect_mount(rv, p, idata) == -1) { -- 2.43.0