rc.d/cleanvar: purgedir function has shell expansion vulnerability
ClosedPublic
Actions

Authored by feld on Jan 5 2018, 10:29 PM.

Details

Reviewers

gordon
allanjude

Commits

rS328951: Refactor cleanvar to remove shell expansion vulnerability

Summary

cleanvar is enabled by default on FreeBSD systems. Its purpose is to
clean out stale files from three directories:

/var/run
/var/spool/lock
/var/spool/uucp/.Temp/

For /var/run and /var/spool/lock a local function called purgedir is used.
This function has a vulnerability by shell expansion.

If any process creates a directory named "-P" in /var/run or
/var/spool/lock it will cause the purgedir function to start to rm -r /.
This seems to only be reproducible on boot or startup of a jail
(exec.start= "/bin/sh /etc/rc";).

Only /var/run and /var/spool/lock use the purgedir function. The
purgedir function has the following properties:

If zero arguments are given to purgedir, run purgedir on .
skip sockets named "log" and "logpriv" (intended for /var/run)
a hack to avoid following "." and ".."
if it's a directory, run the purgedir function against this directory
otherwise rm -f -- $file

I believe the vulnerability we are seeing is at line 32:

cd "$dir" && for file in .* *

-P is alphasorted as the first item in the directory and the CWD=/,
which means you get

CWD=/
/usr/bin/cd "-P" && for file in .* *

Which will inevitably cause it to start deleting /

These tasks are much better handled with find(1).

Test Plan

mkdir -- /var/run/-P
mkdir -- /var/spool/lock/-P

Restart system

Observe that cleanvar is not deleting your OS

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

feld created this revision.Jan 5 2018, 10:29 PM

Herald added a subscriber: imp. · View Herald TranscriptJan 5 2018, 10:29 PM

Harbormaster completed remote builds in B14145: Diff 37570.Jan 5 2018, 10:29 PM

feld edited the summary of this revision. (Show Details)Jan 5 2018, 10:30 PM

feld edited the summary of this revision. (Show Details)Jan 5 2018, 10:33 PM

Improved find(1) syntax per BigKnife

Harbormaster completed remote builds in B14146: Diff 37571.Jan 5 2018, 10:40 PM

Escape parens

Do not try to clear out the uucp Temp dir unless it exists

Harbormaster completed remote builds in B14147: Diff 37572.Jan 5 2018, 10:50 PM

emaste added a subscriber: emaste.Jan 9 2018, 12:17 AM

This seems like a much safer approach

This revision is now accepted and ready to land.Feb 6 2018, 8:24 PM

Closed by commit rS328951: Refactor cleanvar to remove shell expansion vulnerability (authored by feld). · Explain WhyFeb 6 2018, 9:36 PM

This revision was automatically updated to reflect the committed changes.

imp added inline comments.Feb 6 2018, 9:43 PM

head/etc/rc.d/cleanvar
42	This removes the .Temp file always, no? The old code only deleted what was under it. And how is this different than just rm -rf? Seems like the complicated way of doing it, unlike the other cleanups to the file which made things less obscure and easier to follow.

feld added inline comments.Feb 6 2018, 9:48 PM

head/etc/rc.d/cleanvar
42	.Temp is a directory, not a file. The idea was to keep it consistent with the other cleanup commands which are now leveraging find(1). I don't know how many files may end up under /var/spool/uucp/.Temp/* but it would be a shame for boot to hang because of glob expansion taking forever or fail with "too many arguments". Does that make sense?

Revision Contents
Changeset List

Path

Size

head/

etc/

rc.d/

cleanvar

37 lines

Diff 38973

View Options

rc.d/cleanvar: purgedir function has shell expansion vulnerabilityClosedPublicActions