[PATCH] ldconfig: create /var/cache/ldconfig also with -r

[PATCH] ldconfig: create /var/cache/ldconfig also with -r

[Johannes Schauer Marin Rodrigues]

Without the -r option, ldconfig creates /var/cache/ldconfig if it didn't
exist yet. With the -r option, a non-existing /var/cache/ldconfig inside
the chroot directory will *not* get created because chroot_canon() will
return NULL if the path doesn't exist. This means that aux_cache_file
will be set to NULL and save_aux_cache() doesn't get executed at the
end. So instead of using chroot_canon() to prepending the chroot path,
combine the paths manually.
---
 elf/ldconfig.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/elf/ldconfig.c b/elf/ldconfig.c
index e6c24e71a4..da76dc31b8 100644
--- a/elf/ldconfig.c
+++ b/elf/ldconfig.c
@@ -1293,9 +1293,11 @@ main (int argc, char **argv)
 	add_system_dir (LIBDIR);
     }
 
-  const char *aux_cache_file = _PATH_LDCONFIG_AUX_CACHE;
-  if (opt_chroot != NULL)
-    aux_cache_file = chroot_canon (opt_chroot, aux_cache_file);
+  char *aux_cache_file = (char *)(_PATH_LDCONFIG_AUX_CACHE);
+  if (opt_chroot != NULL) {
+    aux_cache_file = alloca (strlen (opt_chroot) + strlen (_PATH_LDCONFIG_AUX_CACHE) + 2);
+    sprintf (aux_cache_file, "%s/%s", opt_chroot, _PATH_LDCONFIG_AUX_CACHE);
+  }
 
   if (! opt_ignore_aux_cache && aux_cache_file)
     load_aux_cache (aux_cache_file);
-- 
2.37.2

Re: [PATCH] ldconfig: create /var/cache/ldconfig also with -r

[Aurelien Jarno]

On 2022-10-11 14:20, Johannes Schauer Marin Rodrigues wrote:
> Without the -r option, ldconfig creates /var/cache/ldconfig if it didn't
> exist yet. With the -r option, a non-existing /var/cache/ldconfig inside
> the chroot directory will *not* get created because chroot_canon() will
> return NULL if the path doesn't exist. This means that aux_cache_file
> will be set to NULL and save_aux_cache() doesn't get executed at the
> end. So instead of using chroot_canon() to prepending the chroot path,
> combine the paths manually.
> ---
>  elf/ldconfig.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/elf/ldconfig.c b/elf/ldconfig.c
> index e6c24e71a4..da76dc31b8 100644
> --- a/elf/ldconfig.c
> +++ b/elf/ldconfig.c
> @@ -1293,9 +1293,11 @@ main (int argc, char **argv)
>  	add_system_dir (LIBDIR);
>      }
>  
> -  const char *aux_cache_file = _PATH_LDCONFIG_AUX_CACHE;
> -  if (opt_chroot != NULL)
> -    aux_cache_file = chroot_canon (opt_chroot, aux_cache_file);
> +  char *aux_cache_file = (char *)(_PATH_LDCONFIG_AUX_CACHE);
> +  if (opt_chroot != NULL) {
> +    aux_cache_file = alloca (strlen (opt_chroot) + strlen (_PATH_LDCONFIG_AUX_CACHE) + 2);
> +    sprintf (aux_cache_file, "%s/%s", opt_chroot, _PATH_LDCONFIG_AUX_CACHE);
> +  }

This drops the use chroot_canon() call. I am afraid it might allows one
to "escape" the "chroot". Imagine that /var/cache/ldconfig is a symlink
pointing outside of the opt_chroot.

To avoid changing the code too much, one way could be to call
chroot_canon(opt_chroot, "/var/cache/ldconfig") and concatenate the
result with "aux-cache".

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Re: [PATCH] ldconfig: create /var/cache/ldconfig also with -r

[Johannes Schauer Marin Rodrigues]

[-- Attachment #1: Type: text/plain, Size: 2659 bytes --]

Quoting Aurelien Jarno (2022-10-11 22:59:33)
> On 2022-10-11 14:20, Johannes Schauer Marin Rodrigues wrote:
> > Without the -r option, ldconfig creates /var/cache/ldconfig if it didn't
> > exist yet. With the -r option, a non-existing /var/cache/ldconfig inside
> > the chroot directory will *not* get created because chroot_canon() will
> > return NULL if the path doesn't exist. This means that aux_cache_file
> > will be set to NULL and save_aux_cache() doesn't get executed at the
> > end. So instead of using chroot_canon() to prepending the chroot path,
> > combine the paths manually.
> > ---
> >  elf/ldconfig.c | 8 +++++---
> >  1 file changed, 5 insertions(+), 3 deletions(-)
> > 
> > diff --git a/elf/ldconfig.c b/elf/ldconfig.c
> > index e6c24e71a4..da76dc31b8 100644
> > --- a/elf/ldconfig.c
> > +++ b/elf/ldconfig.c
> > @@ -1293,9 +1293,11 @@ main (int argc, char **argv)
> >       add_system_dir (LIBDIR);
> >      }
> >  
> > -  const char *aux_cache_file = _PATH_LDCONFIG_AUX_CACHE;
> > -  if (opt_chroot != NULL)
> > -    aux_cache_file = chroot_canon (opt_chroot, aux_cache_file);
> > +  char *aux_cache_file = (char *)(_PATH_LDCONFIG_AUX_CACHE);
> > +  if (opt_chroot != NULL) {
> > +    aux_cache_file = alloca (strlen (opt_chroot) + strlen (_PATH_LDCONFIG_AUX_CACHE) + 2);
> > +    sprintf (aux_cache_file, "%s/%s", opt_chroot, _PATH_LDCONFIG_AUX_CACHE);
> > +  }
> 
> This drops the use chroot_canon() call. I am afraid it might allows one
> to "escape" the "chroot". Imagine that /var/cache/ldconfig is a symlink
> pointing outside of the opt_chroot.

This code path (opt_chroot being NULL) is only reached if -r was specified and
the chroot() call didn't succeed. This happens, for example, when the user uses
fakeroot. So one can argue that:

 - escaping the "chroot" is not harmful because there were no sufficient
   permissions to chroot() in the first place
 - the user is running ldconfig in a non-default environment where I think they
   might be expected to keep the pieces

> To avoid changing the code too much, one way could be to call
> chroot_canon(opt_chroot, "/var/cache/ldconfig") and concatenate the result
> with "aux-cache".

Calling chroot_canon(opt_chroot, "/var/cache/ldconfig") will still return NULL
because /var/cache/ldconfig might not exist inside the -r directory. Doing so
would also ignore the setting of _PATH_LDCONFIG_AUX_CACHE.

Maybe what would be done to prevent the "escaping" was to first call the
original chroot_canon(opt_chroot, aux_cache_file) and, if the result is NULL,
concatenate the paths manually instead?

Thanks!

cheers, josch

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEElFhU6KL81LF4wVq58sulx4+9g+EFAmNGOY4ACgkQ8sulx4+9
g+EflQ//dNU9YOy04jhqCcNhsDG4F+mxhYwMZ1LLl7Hytz/JKRMlqkk3LD8UqC85
CxX02EeesgfZcJMdgzqvr28AsyRQsqCW/QJluzGiNYiRlJ44PKEJQaUgvAgoSKvA
rOv8344BX/4x8FV9T6vs1UfHNOmxVbcq7MsCEzKSv0oSQdipUL1Hw5fp03DvoAaK
mppw3T4drbT9gubB40crsDiwuMW2Mz/ebPOlJTKAcg1ebPF/VgYjukMycxx0EF1N
LuYjYTTqgKRcADUvcaVJWTXvQSsytjIK07ppx01zgjBFYvvDc0N8kEM2Yjux1368
LxqSGz4j6CmosAu+IqVt0DpfVd7mBr5+y/CaquZbbdCOBl9qdc+7VJ4TlJYXdbMm
Fqv3+RlocfsGMZu0vhQzradsYTtCXNWLKJsijxPIm8ybXzrJkY1KN8MKxF8jTCDy
9GY+fTSSA0J/wreZi5pGWJc1OZEdZJVZSDaNBs6ZWRXcwZp+jrtJ3gZ6rzOVGn5F
uCag33xjNSzzHu4YaGzGwu0M4KGXGHp6zSoqJvoC+oLK8mgne9I6t6nZUY+15nUt
qEx9+1JN6+E6XJpizaJxTubxs45gdaQfUg7G2JXdFMe8p3aPk/PtfxtFZIq8mj7m
6WwjOsdhL2xlxF7eql0gqxpHOv10ZbjldpPVaonCEEP9QlJrivU=
=KwAa
-----END PGP SIGNATURE-----

Re: [PATCH] ldconfig: create /var/cache/ldconfig also with -r

[Aurelien Jarno]

[-- Attachment #1: Type: text/plain, Size: 3656 bytes --]

On 2022-10-12 05:50, Johannes Schauer Marin Rodrigues wrote:
> Quoting Aurelien Jarno (2022-10-11 22:59:33)
> > On 2022-10-11 14:20, Johannes Schauer Marin Rodrigues wrote:
> > > Without the -r option, ldconfig creates /var/cache/ldconfig if it didn't
> > > exist yet. With the -r option, a non-existing /var/cache/ldconfig inside
> > > the chroot directory will *not* get created because chroot_canon() will
> > > return NULL if the path doesn't exist. This means that aux_cache_file
> > > will be set to NULL and save_aux_cache() doesn't get executed at the
> > > end. So instead of using chroot_canon() to prepending the chroot path,
> > > combine the paths manually.
> > > ---
> > >  elf/ldconfig.c | 8 +++++---
> > >  1 file changed, 5 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/elf/ldconfig.c b/elf/ldconfig.c
> > > index e6c24e71a4..da76dc31b8 100644
> > > --- a/elf/ldconfig.c
> > > +++ b/elf/ldconfig.c
> > > @@ -1293,9 +1293,11 @@ main (int argc, char **argv)
> > >       add_system_dir (LIBDIR);
> > >      }
> > >  
> > > -  const char *aux_cache_file = _PATH_LDCONFIG_AUX_CACHE;
> > > -  if (opt_chroot != NULL)
> > > -    aux_cache_file = chroot_canon (opt_chroot, aux_cache_file);
> > > +  char *aux_cache_file = (char *)(_PATH_LDCONFIG_AUX_CACHE);
> > > +  if (opt_chroot != NULL) {
> > > +    aux_cache_file = alloca (strlen (opt_chroot) + strlen (_PATH_LDCONFIG_AUX_CACHE) + 2);
> > > +    sprintf (aux_cache_file, "%s/%s", opt_chroot, _PATH_LDCONFIG_AUX_CACHE);
> > > +  }
> > 
> > This drops the use chroot_canon() call. I am afraid it might allows one
> > to "escape" the "chroot". Imagine that /var/cache/ldconfig is a symlink
> > pointing outside of the opt_chroot.
> 
> This code path (opt_chroot being NULL) is only reached if -r was specified and
> the chroot() call didn't succeed. This happens, for example, when the user uses
> fakeroot. So one can argue that:
> 
>  - escaping the "chroot" is not harmful because there were no sufficient
>    permissions to chroot() in the first place
>  - the user is running ldconfig in a non-default environment where I think they
>    might be expected to keep the pieces

I agree that the "security" implication are quite low with this option,
but that is still a change from the existing behaviour. We should have
the opinion of others to know if this is acceptable.

> > To avoid changing the code too much, one way could be to call
> > chroot_canon(opt_chroot, "/var/cache/ldconfig") and concatenate the result
> > with "aux-cache".
> 
> Calling chroot_canon(opt_chroot, "/var/cache/ldconfig") will still return NULL
> because /var/cache/ldconfig might not exist inside the -r directory. Doing so

chroot_canon() allows the last element of the path to not exist. That is
actually why it works when calling it with _PATH_LDCONFIG_AUX_CACHE
where the aux-cache file does not exist.

> would also ignore the setting of _PATH_LDCONFIG_AUX_CACHE.

Yep, what I really meant was dirname(_PATH_LDCONFIG_AUX_CACHE), but i
used the explicit path to avoid confusion.

> Maybe what would be done to prevent the "escaping" was to first call the
> original chroot_canon(opt_chroot, aux_cache_file) and, if the result is NULL,
> concatenate the paths manually instead?

That should limit the risk, but not totally. If /var/cache/ldconfig is a
symlink pointing outside the chroot, chroot_canon() will return NULL.
Concatenating the two paths will result in a path outside of the chroot.

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]