| ▲ | ifh-hn 4 hours ago |
| I wonder if, and this is just speculating not trying to start an arguement, if this sort of thing could have happened in the simpler pre-snap, pre-systemd systems? More to the point is this a cause of using more complicated software? |
|
| ▲ | AgentME an hour ago | parent | next [-] |
| Without snap, the front door is wide open: all applications you run are unconfined within your user account and can snoop on all of your files. On a normal single-user desktop system, almost everything valuable is within your user account, not root. If an attacker does want root (such as to install a rootkit that can hide itself or to access other user accounts), they can install an alias to sudo on your account and piggy-back on the next time you use it. |
|
| ▲ | akdor1154 an hour ago | parent | prev | next [-] |
| Well yeah, if everything runs unsandboxed as root then there are no privilege escalations! Less pithy, i seem to recall many issue with programs that relied on suid and permission dropping, which would be the 'oldschool' way of firming up the above. You're not wrong that complexity has been introduced, and I'm not a a fan of snap either, but ultimately sandboxes (esp backwards compatible ones that don't need source level modifications) are complex. If you want simple and secure, you're probably looking at OpenBSD and pledge. |
|
| ▲ | dogleash 3 hours ago | parent | prev [-] |
| Permission and timing gotchas in /tmp predate snap and systemd. It's why things like `mkstemp` exist. I remember cron jobs that did what systemd-tmpfiles-clean does before it existed. All unix daemons using /tmp run the risk of misusing /tmp. I don't know snap well enough to say anything about it makes it uniquely more susceptible to that. |
| |
| ▲ | SoftTalker 3 hours ago | parent [-] | | The mistake seems to be using a predictable path (/tmp/.snap) in a publicly-writable directory. | | |
| ▲ | pbhjpbhj 2 hours ago | parent [-] | | The exploit doesn't rely on the path being predictable though. As I read it the .snap is expired and pruned, then the exploiter makes their own .snap in /tmp, then snap-confine assumes that the new .snap is the old one and executes with elevated privileges. So, the path can be from mkstemp, or a sha-256 of your significant others fingerprint, it doesn't matter; until it expires it's plaintext in the /tmp listing. {Wild, ignorant speculation follows ... hashing the inode and putting a signed file in the folder bearing that hash, then checking for that ... something that works but along those lines might be appropriate. (We know the inode for the 10 days we're waiting for /tmp/.snap to get pruned; time that might be used to generate a hash collision, so my off-the-cuff suggestion is definitely no good. It feels like there's a simple solution but everything I can think of fails to KPA, I think -- perhaps just use dm-crypt for the /tmp/.snap folder?} | | |
| ▲ | wahern 35 minutes ago | parent | next [-] | | Or just assert the UID and GID of /tmp/.snap before using. Of course, you'd want to open(2) /tmp/.snap and use fstat(2) on a descriptor (not just pass the path, /tmp/.snap, to stat(2)), then use mkdirat, openat & friends consistently. | |
| ▲ | SoftTalker an hour ago | parent | prev [-] | | Yes, it does. The attacker knows that snap is going to look in /tmp/.snap/, instead of e.g. /tmp/.snap.FjBz8oEWaU/ (which isn't guessable in advance) so when /tmp is flushed, he just has to recreate /tmp/.snap/ before snap-confine does, and drop his payload there. | | |
| ▲ | AgentME 33 minutes ago | parent [-] | | If the directory had a random name, the attacker could see that name and recreate it after /tmp is flushed. |
|
|
|
|
