summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-08-12 21:47:13 +0000
committeragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-08-12 21:47:13 +0000
commit5b3dd2d4c849d348cc6aa8bdeabcf4a9f82d815e (patch)
treef7c4c2ed3d7844cbdafb088cd69f1f1e89d65d4e
parentd91fe77748cc7c1b4af46c3fb6fd72a4d080a9e5 (diff)
downloadchromium_src-5b3dd2d4c849d348cc6aa8bdeabcf4a9f82d815e.zip
chromium_src-5b3dd2d4c849d348cc6aa8bdeabcf4a9f82d815e.tar.gz
chromium_src-5b3dd2d4c849d348cc6aa8bdeabcf4a9f82d815e.tar.bz2
Linux sandbox: fix security issue.
(Reported by Julien Tinnes) Because the chroot helper process and the zygote share a FILES structure, the latter can race the former and change the value of cwd before it does chroot("."). Because of this, the zygote could chroot into a directory of its choosing. Once there, it could setup hardlinks to SUID binaries and possibly make them misbehave if they weren't sufficiently paranoid. This possibility should have been migigated by the removal of dangerous environment variables. However, we had to reinstate them in order to pass LD_LIBRARY_PATH because some setups don't have ld.so setup to use /usr/lib32 and also for ffmpeg. http://codereview.chromium.org/164427 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23228 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--sandbox/linux/suid/sandbox.cc8
1 files changed, 6 insertions, 2 deletions
diff --git a/sandbox/linux/suid/sandbox.cc b/sandbox/linux/suid/sandbox.cc
index 26aee65..ea6b232 100644
--- a/sandbox/linux/suid/sandbox.cc
+++ b/sandbox/linux/suid/sandbox.cc
@@ -121,13 +121,17 @@ static int CloneChrootHelperProcess() {
fchmod(chroot_dir_fd, 0000 /* no-access */);
struct stat st;
- if (stat(".", &st))
+ if (fstat(chroot_dir_fd, &st))
FatalError("stat");
if (st.st_uid || st.st_gid || st.st_mode & S_IWOTH)
FatalError("Bad permissions on chroot temp directory");
- if (chroot("."))
+ char proc_self_fd_str[128];
+ snprintf(proc_self_fd_str, sizeof(proc_self_fd_str), "/proc/self/fd/%d",
+ chroot_dir_fd);
+
+ if (chroot(proc_self_fd_str))
FatalError("Cannot chroot into temp directory");
if (chdir("/"))