oss-sec mailing list archives
Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync
From: Robert Watson <robertcwatson1 () gmail com>
Date: Wed, 18 Oct 2017 16:55:07 -0400
May be that this convo should be migrated somewhere else, but I'd really like to understand how this has anything to do with symlinks. Been programming Unix/Linux for 30 years but now need to be a real SysAdmin so need to correct my misconceptions. Removing the ability for rsync to copy symlinks pointing to targets outside the mirror tree would greatly cripple it. I need to understand how the danger is worth the loss of this functionality. Can you or anyone help me with this? *Trust in truth keeps hope aliverobertcwatson1 () gmail com <robertcwatson1 () gmail com>webmaster () civicchorale org <webmaster () civicchorale org>alpha.docsalvager.info <http://alpha.docsalvager.info>www.CivicChorale.org <http://www.CivicChorale.org>* On Wed, Oct 18, 2017 at 9:30 AM, Ben Tasker <ben () bentasker co uk> wrote:
On Wed, Oct 18, 2017 at 1:55 PM, Robert Watson <robertcwatson1 () gmail com> wrote:Since security is determined by file and directory permissions and ownership, not by symlinks, wouldn't the fact that a malicious user didnothave permissions to access the symlink's target file/directory preventanyharm?If I'm reading the original correctly, then the user that will access the target will be the user your HTTP daemon runs as (so, for sake of example, nginx). There's stuff that will be protected by permissions (for example, you shouldn't be able to pull down /etc/shadow - so long as nginx/apache isn't running as root), but there are other files that you might consider sensitive(ish). Pulling down /etc/passwd would give you a list of known good usernames to better target brute-force attempts (for example). Or perhaps using it to grab the config file of some dynamic site on the same server etc. So there is potential scope for abuse there, and others probably have better imaginations than I do. The "nice" thing about it is: if an attacker gets access to the upstream mirror they still may not be able to mess with the packages themselves (as they're signed), but with this they can still potentially be hostile to downstream. -- Ben Tasker https://www.bentasker.co.uk
Current thread:
- CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Bastian Blank (Oct 17)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 19)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Seth Arnold (Oct 19)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Solar Designer (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Simon McVittie (Oct 21)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Ben Tasker (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Robert Watson (Oct 18)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Seth Arnold (Oct 20)
- Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync Bastian Blank (Oct 21)