Skip to content

Harden dhcp by checking for /sbin/dhclient #3239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 23, 2020
Merged

Harden dhcp by checking for /sbin/dhclient #3239

merged 1 commit into from
Feb 23, 2020

Conversation

kris7t
Copy link
Collaborator

@kris7t kris7t commented Feb 23, 2020

In order to avoid picking up some random executable from $PATH and potentially running it root privileges, dhcp.c should check for /sbin/dhclient or /usr/sbin/dhclient directly. This might cause problems on distributions where dhclient is located elsewhere, but as far as I know, /sbin is the default location (and even Arch, which uses only /usr/bin, symlinks /sbin to /usr/bin). This is the same approach that netfilter.c takes when running iptables-restore.

I formulated the check for root privileges according to https://github.com/netblue30/firejail/blob/master/src/firejail/x11.c#L1103, which allows the binary to either be owned by root, or the root group. A more paranoid version would use open, fstat and fexecve to make sure ownership of the binary does not change between the stat and exec calls. On the other hand, manipulation of a binary already owned by root means the system is already compromised, so there's probably not much point to be careful about TOCTOU here. netfiler.c even skips the check altogether, and relies on /sbin being only writable by root.

Hopefully, we don't blindly execute a binary with root privileges anywhere else in the codebase.

A more meta question: what is the policy with running external executable from firejail with root privilages (even if capability and seccomp sandboxed)? The potential for introducing setuid-related vulnerabilities is high. If we want to integrate additional external tools (like xdg-dbus-proxy), we should try to keep it reasonably safe.

smitsohu
smitsohu reviewed Feb 23, 2020
View reviewed changes
Copy link
Collaborator

@smitsohu smitsohu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Thanks for finding this!

@smitsohu
Copy link
Collaborator

IMHO sbox is not really in the position to figure out what to execute. Maybe we should replace the execvp with execv?

@kris7t
Copy link
Collaborator Author

kris7t commented Feb 23, 2020

Yeah, execv sounds much safer. We could even move the uid check to sbox, since it would receive the absolute path of the executable.

@kris7t
Harden dhcp by checking for /sbin/dhclient
9860590 
Running /sbin/dhclient or /usr/sbin/dhclient avoids PATH-based vulnerabilities.
We also check that the dhclient is owned by root.
We take an approach similar to netfiler.c and assume that the required binary
ar in /sbin or /usr/sbin, or (like on Arch) /sbin is a symlink to /usr/bin.
@kris7t kris7t requested a review from smitsohu February 23, 2020 16:34
@smitsohu
Copy link
Collaborator

Hopefully, we don't blindly execute a binary with root privileges anywhere else in the codebase.

Quickly checked and there seem to be no other instances. Also means that replacing execvp with execv is indeed a trivial thing.

We could even move the uid check to sbox, since it would receive the absolute path of the executable.

👍

@smitsohu smitsohu merged commit eb56a27 into netblue30:master Feb 23, 2020
@smitsohu
Copy link
Collaborator

Merged, thanks!

@smitsohu
Copy link
Collaborator

I'm going to remove the execvp in a separate patch.

@kris7t
Copy link
Collaborator Author

kris7t commented Feb 23, 2020
edited
Loading

@smitsohu Oh, I am also trying to put together a patch for that -- with some extra checking. Playing around with some symlinks, I think the paranoia with fecexve might be warranted, although I am still figuring out how to use it properly.

@smitsohu
Copy link
Collaborator

@kris7t Go ahead! I did not start yet :)

@kris7t kris7t mentioned this pull request Feb 23, 2020
Merged
@kris7t kris7t deleted the dhcp-client branch February 23, 2020 21:06
@rusty-snake rusty-snake mentioned this pull request Jul 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smitsohu smitsohu smitsohu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kris7t @smitsohu