GNU bug report logs - #35256
Bug report for -W argument (maximum width) - minor and not dangerous

Previous Next

Package: diffutils;

Reported by: alec <at> unifiedmathematics.com

Date: Sat, 13 Apr 2019 15:33:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #13 received at 35256 <at> debbugs.gnu.org (full text, mbox):

From: Assaf Gordon <assafgordon <at> gmail.com>
To: 35256 <at> debbugs.gnu.org, alec <at> unifiedmathematics.com
Cc: eggert <at> cs.ucla.edu
Subject: Re: [bug-diffutils] bug#35256: Bug report for -W argument (maximum
 width) - minor and not dangerous
Date: Tue, 27 Aug 2019 18:56:46 -0600

Hello,

Slightly off-topic, but potentially helpful:

On 2019-08-27 5:23 p.m., Paul Eggert wrote:
> alec <at> unifiedmathematics.com wrote:
> 
>> I know diff is used by A LOT of other programs, some of which are
>> web-accessible
> 
> [...] if you let a remote attacker 
> specify an arbitrary option to GNU diff there is lots of other trouble 
> you can get into. 
> [....] The general wisdom nowadays is to not expose command-line 
> operands to attackers.
While generally true, sometimes there's no way around it
(or perhaps it is even the goal).

An easy way to restrict resources is to execute a simple
wrapper shell script that uses 'timeout', 'prlimit' and 'setpriv' for
additional restrictions.

For example:

 timeout 10s \
   setpriv --no-new-privs \
     prlimit --cpu=3 --data=50000000 --nproc=1 \
       diff [ARGS]

will limit the "diff" process to running 10 seconds (of wall time),
consume up to 3 seconds of CPU time,
use up to 50MB of memory,
and limit to a single process (so it can't execute child processes).
The "setpriv" ensures it can't gain new privileges.

"prlimit" has more options (e.g. "--fsize" to limit file sizes
so it won't fill the drive, and "--nofiles" to limit number of open files).

These should work on any modern gnu/linux system
("timeout" is from coreutils, "setpriv" and "prlimit" are from util-linux).

None of the above is perfect,
but they add a quick layer of additional restrictions
(and they don't require additional privileges to use).

To take it a step further, you can use containers and tools such as
"bubblewrap" and "firefail" to isolate a process from the network,
from the filesystem, and even from other processes.


Hope this helps,
 -assaf
This bug report was last modified 5 years and 327 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.