GNU bug report logs -
#47849
[PATCH] Add a jami-daemon service.
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Maxim Cournoyer schreef op za 17-04-2021 om 16:06 [-0400]:
+ (delete-file-recursively "/var/lib/jami/.cache/jami")
+ (delete-file-recursively "/var/lib/jami/.config/jami")
+ (delete-file-recursively "/var/lib/jami/.local/share/jami")
+ (delete-file-recursively "/var/lib/jami/accounts"))
You might want to verify whether /var/lib/jami/{.cache,.config,.local/share,.local}
aren't symbolic links. That way, if the Jami daemon is compromised (due to buffer
overflow --> arbitrary code execution or something), the attacker can't trick the
shepherd service into deleting arbitrary directories.
This attack is _not_ blocked by fs.protected_symlinks. From the sysctl documentation:
When set to "1" symlinks are permitted to be followed only when outside
a sticky world-writable directory, or [...]
/var/lib/jami is not world-writable (I'd hope).
Example scenario:
* the jami daemon has a security bug that allows arbitrary code execution
within the daemon
* the attacker exploits this
* now the attacker can modify everything under /var/lib/jami
* the attacker deletes /var/lib/jami/.config and replaces it with a symlink
to /home/ANY-USER/.config
* eventually, the system reboots
* (delete-file-recursively "/var/lib/jami/.config/jami") is run.
As "/var/lib/jami/.config" points to "/home/ANY-USER/.config",
this means "/home/ANY-USER/.config/jami" is deleted.
* thus, ANY-USER loses their jami configuration
Does that makes sense to you?
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 293 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.