59 lines
1.7 KiB
Diff
59 lines
1.7 KiB
Diff
From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
|
|
From: Matthias Gerstner <matthias.gerstner@suse.de>
|
|
Date: Wed, 27 Dec 2023 14:01:59 +0100
|
|
Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
|
|
local DoS situations
|
|
|
|
Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
|
|
being placed in user controlled directories, causing the PAM module to
|
|
block indefinitely during `openat()`.
|
|
|
|
Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
|
|
refer to a directory.
|
|
|
|
With this the check whether the final path element is a directory
|
|
becomes unnecessary, drop it.
|
|
---
|
|
modules/pam_namespace/pam_namespace.c | 18 +-----------------
|
|
1 file changed, 1 insertion(+), 17 deletions(-)
|
|
|
|
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
|
index 2528cff8..f72d6718 100644
|
|
--- a/modules/pam_namespace/pam_namespace.c
|
|
+++ b/modules/pam_namespace/pam_namespace.c
|
|
@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
|
|
int dfd = AT_FDCWD;
|
|
int dfd_next;
|
|
int save_errno;
|
|
- int flags = O_RDONLY;
|
|
+ int flags = O_RDONLY | O_DIRECTORY;
|
|
int rv = -1;
|
|
struct stat st;
|
|
|
|
@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
|
|
rv = openat(dfd, dir, flags);
|
|
}
|
|
|
|
- if (rv != -1) {
|
|
- if (fstat(rv, &st) != 0) {
|
|
- save_errno = errno;
|
|
- close(rv);
|
|
- rv = -1;
|
|
- errno = save_errno;
|
|
- goto error;
|
|
- }
|
|
- if (!S_ISDIR(st.st_mode)) {
|
|
- close(rv);
|
|
- errno = ENOTDIR;
|
|
- rv = -1;
|
|
- goto error;
|
|
- }
|
|
- }
|
|
-
|
|
if (flags & O_NOFOLLOW) {
|
|
/* we are inside user-owned dir - protect */
|
|
if (protect_mount(rv, p, idata) == -1) {
|
|
--
|
|
2.43.0
|
|
|