Le mardi 19 mai 2015 à 23:31 -0500, Rob Landley a écrit : > Looking at the smack-10 tree ala: > > commit cbc95a1a00ae0a1a806e7cc241cdf7b821ee4951 > Author: José Bollo <[email protected]> > Date: Mon May 11 18:53:12 2015 +0200 > > mkdir: Add -Z option > > Specifically this bit: > > - for (s=toys.optargs; *s; s++) > + for (s=toys.optargs; *s; s++) { > if (mkpathat(AT_FDCWD, *s, mode, toys.optflags|1)) > perror_msg("'%s'", *s); > + else if (CFG_MKDIR_SECURITY && (toys.optflags & FLAG_Z)) { > + if (security_set_context(*s, TT.arg_context) < 0) { > + rmdir(*s); > + error_exit("Unable to create directory '%s' with '%s' as > context.", *s, > + } > + } > + } > > Isn't this racy? You create the directory without a label, then come along > at some arbitrary point later and add one? Shouldn't we at least mkpathat() > with mode 000, add the label, and then chmod()?
Hello, You are right. See https://msdn.microsoft.com/en-us/library/windows/desktop/aa363855% 28v=vs.85%29.aspx too get an other point de vue. > Or does it not work that way with this stuff? (I dunno if we can add a label > to a directory we can't write to. I dunno we can chmod it after we've stuck > a label on it. Maybe the race condition is inherent in the design because > Stewart's bosses were more interested in gaining perpetual access to > everybody's infrastructure than actually securing it?) yes > Also, I take it setcontext still isn't setting errno to anything useful? alas > Sigh. These are very rough-edged APIs. Nobody's ever gone through to clean > them up on the kernel side. (I dunno if this is the same "How dare newbies > like you look through openssl to find heartbleed? Keep your ignorant paws > off our magic code mortals are not meant to understand" thing as the crypto > world, or if it's just nobody who isn't being paid to work on this cares > about this bureaucratic infrastructure for filling out forms in triplicate. > Possibly a combination of the two.) > > Oh, don't error_exit() in the middle of looping on optargs, just error_msg() > and that'll set toys.exitval to 1 if it's not already set to a nonzero value > so when we _do_ exit it returns an error value. Otherwise you don't process > the full list, and you're supposed to. you are right. thank you for the tip. > > Rob > > P.S. I suspect I have slightly more sympathy for smack than for other Linux > Sado-Masochism plugins because at least they're not using "security" > infrastructure developed by the NSA _after_ the Snowden revelations*. Then > again rolling your own security seems like rolling your own crypto, so... > Either way I still consider this stuff mostly for show, as in the "S" in > the middle of TSA, NSA, and LSM all have the exact same meaning as far as > I'm concerned, and are of about as much real-world use. Who are nasty people and how they sadly influence our everyday life? > But I'm trying very hard not to let this influence my technical judgement. > "I am not the target audience for this infrastructure, and the people who > need it care deeply about it." (Whether what they need it for is to > placate middle management or justify budgetary expenditures or show nominal > compliance with a bureaucratic standard is none of my business: they > can't deploy the software without it. "Something must be done, this is > something, therefore we must do it.") > > On the one hand, it doesn't seem to be important to its target audience > whether it actually _works_ (as long as it _seems_ to work). On the other > hand, if toybox is going to have infrastructure I want it to be the best > version of that infrastructure it can be. If we're gonna do it, we do it > right. > > Alas, all my instincts say that doing it right in this case involves not > going there in the first place, and we've already burned that bridge, so > there's a certain amount of "flying blind on a rocketcycle"** going on here. > I do not know how to fix this, on at least two levels. If you were radical you had turned off C programming language and POSIX. That is the way I'm doing toys. https://fosdem.org/2015/schedule/event/flk/ > * I can't remember if those were in Leviticus or Deuteronomy. Something > about nine-bladed flaming swords with root access. > > ** It's a BRIAN BLESSED reference. It was the 80's. Queen was involved. > _______________________________________________ > Toybox mailing list > [email protected] > http://lists.landley.net/listinfo.cgi/toybox-landley.net _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
