* [PATCH] ldconfig: create /var/cache/ldconfig also with -r @ 2022-10-11 12:20 Johannes Schauer Marin Rodrigues 2022-10-11 20:59 ` Aurelien Jarno 0 siblings, 1 reply; 4+ messages in thread From: Johannes Schauer Marin Rodrigues @ 2022-10-11 12:20 UTC (permalink / raw) To: libc-alpha; +Cc: Johannes Schauer Marin Rodrigues Without the -r option, ldconfig creates /var/cache/ldconfig if it didn't exist yet. With the -r option, a non-existing /var/cache/ldconfig inside the chroot directory will *not* get created because chroot_canon() will return NULL if the path doesn't exist. This means that aux_cache_file will be set to NULL and save_aux_cache() doesn't get executed at the end. So instead of using chroot_canon() to prepending the chroot path, combine the paths manually. --- elf/ldconfig.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/elf/ldconfig.c b/elf/ldconfig.c index e6c24e71a4..da76dc31b8 100644 --- a/elf/ldconfig.c +++ b/elf/ldconfig.c @@ -1293,9 +1293,11 @@ main (int argc, char **argv) add_system_dir (LIBDIR); } - const char *aux_cache_file = _PATH_LDCONFIG_AUX_CACHE; - if (opt_chroot != NULL) - aux_cache_file = chroot_canon (opt_chroot, aux_cache_file); + char *aux_cache_file = (char *)(_PATH_LDCONFIG_AUX_CACHE); + if (opt_chroot != NULL) { + aux_cache_file = alloca (strlen (opt_chroot) + strlen (_PATH_LDCONFIG_AUX_CACHE) + 2); + sprintf (aux_cache_file, "%s/%s", opt_chroot, _PATH_LDCONFIG_AUX_CACHE); + } if (! opt_ignore_aux_cache && aux_cache_file) load_aux_cache (aux_cache_file); -- 2.37.2 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ldconfig: create /var/cache/ldconfig also with -r 2022-10-11 12:20 [PATCH] ldconfig: create /var/cache/ldconfig also with -r Johannes Schauer Marin Rodrigues @ 2022-10-11 20:59 ` Aurelien Jarno 2022-10-12 3:50 ` Johannes Schauer Marin Rodrigues 0 siblings, 1 reply; 4+ messages in thread From: Aurelien Jarno @ 2022-10-11 20:59 UTC (permalink / raw) To: Johannes Schauer Marin Rodrigues; +Cc: libc-alpha On 2022-10-11 14:20, Johannes Schauer Marin Rodrigues wrote: > Without the -r option, ldconfig creates /var/cache/ldconfig if it didn't > exist yet. With the -r option, a non-existing /var/cache/ldconfig inside > the chroot directory will *not* get created because chroot_canon() will > return NULL if the path doesn't exist. This means that aux_cache_file > will be set to NULL and save_aux_cache() doesn't get executed at the > end. So instead of using chroot_canon() to prepending the chroot path, > combine the paths manually. > --- > elf/ldconfig.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/elf/ldconfig.c b/elf/ldconfig.c > index e6c24e71a4..da76dc31b8 100644 > --- a/elf/ldconfig.c > +++ b/elf/ldconfig.c > @@ -1293,9 +1293,11 @@ main (int argc, char **argv) > add_system_dir (LIBDIR); > } > > - const char *aux_cache_file = _PATH_LDCONFIG_AUX_CACHE; > - if (opt_chroot != NULL) > - aux_cache_file = chroot_canon (opt_chroot, aux_cache_file); > + char *aux_cache_file = (char *)(_PATH_LDCONFIG_AUX_CACHE); > + if (opt_chroot != NULL) { > + aux_cache_file = alloca (strlen (opt_chroot) + strlen (_PATH_LDCONFIG_AUX_CACHE) + 2); > + sprintf (aux_cache_file, "%s/%s", opt_chroot, _PATH_LDCONFIG_AUX_CACHE); > + } This drops the use chroot_canon() call. I am afraid it might allows one to "escape" the "chroot". Imagine that /var/cache/ldconfig is a symlink pointing outside of the opt_chroot. To avoid changing the code too much, one way could be to call chroot_canon(opt_chroot, "/var/cache/ldconfig") and concatenate the result with "aux-cache". -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://www.aurel32.net ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ldconfig: create /var/cache/ldconfig also with -r 2022-10-11 20:59 ` Aurelien Jarno @ 2022-10-12 3:50 ` Johannes Schauer Marin Rodrigues 2022-10-12 17:52 ` Aurelien Jarno 0 siblings, 1 reply; 4+ messages in thread From: Johannes Schauer Marin Rodrigues @ 2022-10-12 3:50 UTC (permalink / raw) To: libc-alpha [-- Attachment #1: Type: text/plain, Size: 2659 bytes --] Quoting Aurelien Jarno (2022-10-11 22:59:33) > On 2022-10-11 14:20, Johannes Schauer Marin Rodrigues wrote: > > Without the -r option, ldconfig creates /var/cache/ldconfig if it didn't > > exist yet. With the -r option, a non-existing /var/cache/ldconfig inside > > the chroot directory will *not* get created because chroot_canon() will > > return NULL if the path doesn't exist. This means that aux_cache_file > > will be set to NULL and save_aux_cache() doesn't get executed at the > > end. So instead of using chroot_canon() to prepending the chroot path, > > combine the paths manually. > > --- > > elf/ldconfig.c | 8 +++++--- > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > diff --git a/elf/ldconfig.c b/elf/ldconfig.c > > index e6c24e71a4..da76dc31b8 100644 > > --- a/elf/ldconfig.c > > +++ b/elf/ldconfig.c > > @@ -1293,9 +1293,11 @@ main (int argc, char **argv) > > add_system_dir (LIBDIR); > > } > > > > - const char *aux_cache_file = _PATH_LDCONFIG_AUX_CACHE; > > - if (opt_chroot != NULL) > > - aux_cache_file = chroot_canon (opt_chroot, aux_cache_file); > > + char *aux_cache_file = (char *)(_PATH_LDCONFIG_AUX_CACHE); > > + if (opt_chroot != NULL) { > > + aux_cache_file = alloca (strlen (opt_chroot) + strlen (_PATH_LDCONFIG_AUX_CACHE) + 2); > > + sprintf (aux_cache_file, "%s/%s", opt_chroot, _PATH_LDCONFIG_AUX_CACHE); > > + } > > This drops the use chroot_canon() call. I am afraid it might allows one > to "escape" the "chroot". Imagine that /var/cache/ldconfig is a symlink > pointing outside of the opt_chroot. This code path (opt_chroot being NULL) is only reached if -r was specified and the chroot() call didn't succeed. This happens, for example, when the user uses fakeroot. So one can argue that: - escaping the "chroot" is not harmful because there were no sufficient permissions to chroot() in the first place - the user is running ldconfig in a non-default environment where I think they might be expected to keep the pieces > To avoid changing the code too much, one way could be to call > chroot_canon(opt_chroot, "/var/cache/ldconfig") and concatenate the result > with "aux-cache". Calling chroot_canon(opt_chroot, "/var/cache/ldconfig") will still return NULL because /var/cache/ldconfig might not exist inside the -r directory. Doing so would also ignore the setting of _PATH_LDCONFIG_AUX_CACHE. Maybe what would be done to prevent the "escaping" was to first call the original chroot_canon(opt_chroot, aux_cache_file) and, if the result is NULL, concatenate the paths manually instead? Thanks! cheers, josch [-- Attachment #2: signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEElFhU6KL81LF4wVq58sulx4+9g+EFAmNGOY4ACgkQ8sulx4+9 g+EflQ//dNU9YOy04jhqCcNhsDG4F+mxhYwMZ1LLl7Hytz/JKRMlqkk3LD8UqC85 CxX02EeesgfZcJMdgzqvr28AsyRQsqCW/QJluzGiNYiRlJ44PKEJQaUgvAgoSKvA rOv8344BX/4x8FV9T6vs1UfHNOmxVbcq7MsCEzKSv0oSQdipUL1Hw5fp03DvoAaK mppw3T4drbT9gubB40crsDiwuMW2Mz/ebPOlJTKAcg1ebPF/VgYjukMycxx0EF1N LuYjYTTqgKRcADUvcaVJWTXvQSsytjIK07ppx01zgjBFYvvDc0N8kEM2Yjux1368 LxqSGz4j6CmosAu+IqVt0DpfVd7mBr5+y/CaquZbbdCOBl9qdc+7VJ4TlJYXdbMm Fqv3+RlocfsGMZu0vhQzradsYTtCXNWLKJsijxPIm8ybXzrJkY1KN8MKxF8jTCDy 9GY+fTSSA0J/wreZi5pGWJc1OZEdZJVZSDaNBs6ZWRXcwZp+jrtJ3gZ6rzOVGn5F uCag33xjNSzzHu4YaGzGwu0M4KGXGHp6zSoqJvoC+oLK8mgne9I6t6nZUY+15nUt qEx9+1JN6+E6XJpizaJxTubxs45gdaQfUg7G2JXdFMe8p3aPk/PtfxtFZIq8mj7m 6WwjOsdhL2xlxF7eql0gqxpHOv10ZbjldpPVaonCEEP9QlJrivU= =KwAa -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ldconfig: create /var/cache/ldconfig also with -r 2022-10-12 3:50 ` Johannes Schauer Marin Rodrigues @ 2022-10-12 17:52 ` Aurelien Jarno 0 siblings, 0 replies; 4+ messages in thread From: Aurelien Jarno @ 2022-10-12 17:52 UTC (permalink / raw) To: libc-alpha [-- Attachment #1: Type: text/plain, Size: 3656 bytes --] On 2022-10-12 05:50, Johannes Schauer Marin Rodrigues wrote: > Quoting Aurelien Jarno (2022-10-11 22:59:33) > > On 2022-10-11 14:20, Johannes Schauer Marin Rodrigues wrote: > > > Without the -r option, ldconfig creates /var/cache/ldconfig if it didn't > > > exist yet. With the -r option, a non-existing /var/cache/ldconfig inside > > > the chroot directory will *not* get created because chroot_canon() will > > > return NULL if the path doesn't exist. This means that aux_cache_file > > > will be set to NULL and save_aux_cache() doesn't get executed at the > > > end. So instead of using chroot_canon() to prepending the chroot path, > > > combine the paths manually. > > > --- > > > elf/ldconfig.c | 8 +++++--- > > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > > > diff --git a/elf/ldconfig.c b/elf/ldconfig.c > > > index e6c24e71a4..da76dc31b8 100644 > > > --- a/elf/ldconfig.c > > > +++ b/elf/ldconfig.c > > > @@ -1293,9 +1293,11 @@ main (int argc, char **argv) > > > add_system_dir (LIBDIR); > > > } > > > > > > - const char *aux_cache_file = _PATH_LDCONFIG_AUX_CACHE; > > > - if (opt_chroot != NULL) > > > - aux_cache_file = chroot_canon (opt_chroot, aux_cache_file); > > > + char *aux_cache_file = (char *)(_PATH_LDCONFIG_AUX_CACHE); > > > + if (opt_chroot != NULL) { > > > + aux_cache_file = alloca (strlen (opt_chroot) + strlen (_PATH_LDCONFIG_AUX_CACHE) + 2); > > > + sprintf (aux_cache_file, "%s/%s", opt_chroot, _PATH_LDCONFIG_AUX_CACHE); > > > + } > > > > This drops the use chroot_canon() call. I am afraid it might allows one > > to "escape" the "chroot". Imagine that /var/cache/ldconfig is a symlink > > pointing outside of the opt_chroot. > > This code path (opt_chroot being NULL) is only reached if -r was specified and > the chroot() call didn't succeed. This happens, for example, when the user uses > fakeroot. So one can argue that: > > - escaping the "chroot" is not harmful because there were no sufficient > permissions to chroot() in the first place > - the user is running ldconfig in a non-default environment where I think they > might be expected to keep the pieces I agree that the "security" implication are quite low with this option, but that is still a change from the existing behaviour. We should have the opinion of others to know if this is acceptable. > > To avoid changing the code too much, one way could be to call > > chroot_canon(opt_chroot, "/var/cache/ldconfig") and concatenate the result > > with "aux-cache". > > Calling chroot_canon(opt_chroot, "/var/cache/ldconfig") will still return NULL > because /var/cache/ldconfig might not exist inside the -r directory. Doing so chroot_canon() allows the last element of the path to not exist. That is actually why it works when calling it with _PATH_LDCONFIG_AUX_CACHE where the aux-cache file does not exist. > would also ignore the setting of _PATH_LDCONFIG_AUX_CACHE. Yep, what I really meant was dirname(_PATH_LDCONFIG_AUX_CACHE), but i used the explicit path to avoid confusion. > Maybe what would be done to prevent the "escaping" was to first call the > original chroot_canon(opt_chroot, aux_cache_file) and, if the result is NULL, > concatenate the paths manually instead? That should limit the risk, but not totally. If /var/cache/ldconfig is a symlink pointing outside the chroot, chroot_canon() will return NULL. Concatenating the two paths will result in a path outside of the chroot. -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://www.aurel32.net [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-10-12 17:52 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-10-11 12:20 [PATCH] ldconfig: create /var/cache/ldconfig also with -r Johannes Schauer Marin Rodrigues 2022-10-11 20:59 ` Aurelien Jarno 2022-10-12 3:50 ` Johannes Schauer Marin Rodrigues 2022-10-12 17:52 ` Aurelien Jarno
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).