From 5b3dd2d4c849d348cc6aa8bdeabcf4a9f82d815e Mon Sep 17 00:00:00 2001 From: "agl@chromium.org" Date: Wed, 12 Aug 2009 21:47:13 +0000 Subject: Linux sandbox: fix security issue. (Reported by Julien Tinnes) Because the chroot helper process and the zygote share a FILES structure, the latter can race the former and change the value of cwd before it does chroot("."). Because of this, the zygote could chroot into a directory of its choosing. Once there, it could setup hardlinks to SUID binaries and possibly make them misbehave if they weren't sufficiently paranoid. This possibility should have been migigated by the removal of dangerous environment variables. However, we had to reinstate them in order to pass LD_LIBRARY_PATH because some setups don't have ld.so setup to use /usr/lib32 and also for ffmpeg. http://codereview.chromium.org/164427 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23228 0039d316-1c4b-4281-b951-d872f2087c98 --- sandbox/linux/suid/sandbox.cc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sandbox/linux/suid/sandbox.cc b/sandbox/linux/suid/sandbox.cc index 26aee65..ea6b232 100644 --- a/sandbox/linux/suid/sandbox.cc +++ b/sandbox/linux/suid/sandbox.cc @@ -121,13 +121,17 @@ static int CloneChrootHelperProcess() { fchmod(chroot_dir_fd, 0000 /* no-access */); struct stat st; - if (stat(".", &st)) + if (fstat(chroot_dir_fd, &st)) FatalError("stat"); if (st.st_uid || st.st_gid || st.st_mode & S_IWOTH) FatalError("Bad permissions on chroot temp directory"); - if (chroot(".")) + char proc_self_fd_str[128]; + snprintf(proc_self_fd_str, sizeof(proc_self_fd_str), "/proc/self/fd/%d", + chroot_dir_fd); + + if (chroot(proc_self_fd_str)) FatalError("Cannot chroot into temp directory"); if (chdir("/")) -- cgit v1.1