token2/snapd
0
0
Fork 0
mirror of https://github.com/token2/snapd.git synced 2026-03-13 11:15:47 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
snapd/packaging/opensuse/permissions.secure
Zygmunt Krynicki 82c8083d64 packaging,snap-confine: stop being segid root 
Historically snap-confine did not handle effective group ID very well.
It resulted in long-standing bug where certain files or directories
created by snap-confine or programs it invokes would be owned by the
group of the user calling snap-confine.

Prior attempts to resolve that, based on simplicity of calling
setegid(0) early in the execution process were NACKed by security
review. The approach that is implemented here, namely running with
egid=real_gid, for as long as possible. This desire is balanced with the
goal of not using real_gid in any filesystem objects. This required
multiple fixes, not only around code that creates files or directories
but also around calls to external tools, like snap-update-ns,
snap-discard-ns and snap-device-helper.

Care was taken to simplify the code, as past mistakes were mostly a
result of lack of understanding that snap-confine executes with real
group ID.

This patch adds a new type, sc_identity, that fuses uid and gid into one
type.  The new function, sc_set_effective_identity, applies changes to
effective user and group identity, while returning the old values to
restore later.

Instead of manual calls to {get,set}{,e}{u,g}id, where it is easy to
make one-letter-mistakes that can be missed by code review, almost
everything is now using sc_set_effective_identity.

The only exception is the code that permanently drops IDs to that of the
calling user just prior to executing the application. This code was left
intact as it is a one-way transition that is different from the rest of
the pattern of use of sc_set_effective_identity.

The design of the employed strategy is that the effective group ID is
switched to root and then back, around specific mkdir and open calls.

There are some exceptions where the code runs for a little longer with
elevated permissions. One is around the call to setup_private_mount,
which is called with the appropriate group, to coalesce code that needs
to run with elevated permissions and to avoid ping-pong group changes.

There's a new spread test that checks for leaking files with wrong group
ownership.

Finally, with all of the changes, snap-confine no longer needs to be
setgid root. Packaging is adjusted to reflect that.

Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
2020-01-17 11:47:26 +01:00

2 lines
79 B
Plaintext
Raw Permalink Blame History

/usr/lib/snapd/snap-confine root:root 4755
Reference in New Issue View Git Blame Copy Permalink