[28214] in Source-Commits
Re: auto-update commit: Move update hook location and clean-up on success
daemon@ATHENA.MIT.EDU (Jonathon Weiss)
Wed May 14 18:06:23 2014
To: Jonathan D Reed <jdreed@MIT.EDU>
cc: Jonathon Weiss <jweiss@MIT.EDU>,
"source-commits\@mit.edu" <source-commits@MIT.EDU>
In-reply-to: <D5CEE8FC-AB2F-4362-B49D-5FD25917A424@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Date: Wed, 14 May 2014 18:06:13 -0400
From: Jonathon Weiss <jweiss@MIT.EDU>
Message-id: <20140414t180613p9575damsjw@the-other-woman.mit.edu>
Content-Transfer-Encoding: 8bit
OK, thanks for the explanation.
--
Jonathon
Jonathan D Reed <jdreed@MIT.EDU> wrote:
> I do not believe this increases our exposure, for the following reasons:
>
> * The file path is rm’d immediately before it is downloaded. If the rm fails for whatever reason, it will return non-zero, and the update will end (because of set -e) and report the failure via athinfo.
> * The sha256sum is fetched entirely over the network, over SSL, and never saved to disk, so if someone swaps out the script, the checksums won’t match.
> * It’s already (in theory) not possible to be logged in while an update is under way.
>
> In the event that someone is logged in, and manages to swap out the script in the one line between when the sha256sum is verified and when it is executed, that would obviously be a problem. But if they can do that, there are far easier attack vectors, like replacing auto-update itself, or just sketching directly on the disk.
>
> -Jon
>
>
> On May 13, 2014, at 7:50 PM, Jonathon Weiss <jweiss@MIT.EDU> wrote:
>
> >
> > Does this open us to any attacks because /var/tmp is world-writable, and
> > we're using a predictable filename in it. Two possibilities that come
> > to mind off the top of my head are symlinking the file to somewhere and
> > getting a file on disk smashed, and putting a script there and getting
> > it run as root outside the "serial-reusibility jail". That said, I
> > haven't looked at the code to see if there are any other things that
> > might be mitigating such attacks.
> >
> > Jonathon
> >
> >
> > Jonathan D Reed <jdreed@MIT.EDU> wrote:
> >
> >> https://github.com/mit-athena/auto-update/commit/40ffb03f155dfd3db1b5ed31bd92b27486c2bdfb
> >> commit 40ffb03f155dfd3db1b5ed31bd92b27486c2bdfb
> >> Author: Jonathan Reed <jdreed@mit.edu>
> >> Date: Tue May 13 15:32:45 2014 -0400
> >>
> >> Move update hook location and clean-up on success
> >>
> >> /run is noexec, so we can't actually execute the update hook, so
> >> we move it to /var/tmp instead (Trac: #1461)
> >>
> >> We also clean up the hook upon successful execution
> >>
> >> debian/athena-auto-update | 3 ++-
> >> debian/changelog | 8 ++++++++
> >> 2 files changed, 10 insertions(+), 1 deletions(-)
> >>
> >> diff --git a/debian/athena-auto-update b/debian/athena-auto-update
> >> index ac9ae69..6f2e35e 100644
> >> --- a/debian/athena-auto-update
> >> +++ b/debian/athena-auto-update
> >> @@ -185,7 +185,7 @@ fi
> >> UPDATE_HOOK_URL="https://athena10.mit.edu/update-hook/debathena-update-hook.sh"
> >> UPDATE_HOOK_SUM="https://athena10.mit.edu/update-hook/debathena-update-hook-sha256sum"
> >> MITCA="/usr/share/debathena-auto-update/mitCA.crt"
> >> -UPDATE_HOOK="/var/run/debathena-update-hook.sh"
> >> +UPDATE_HOOK="/var/tmp/debathena-update-hook.sh"
> >>
> >> rm -f $UPDATE_HOOK
> >> if [ "$RUN_UPDATE_HOOK" = "yes" ] && \
> >> @@ -208,6 +208,7 @@ if [ "$RUN_UPDATE_HOOK" = "yes" ] && \
> >> exit
> >> else
> >> touch "/var/lib/athena-update-hooks/$SHA256SUM"
> >> + rm -f $UPDATE_HOOK
> >> fi
> >> fi
> >> fi
> >> diff --git a/debian/changelog b/debian/changelog
> >> index 3fd45ac..59bbbd4 100644
> >> --- a/debian/changelog
> >> +++ b/debian/changelog
> >> @@ -1,3 +1,11 @@
> >> +debathena-auto-update (1.45) unstable; urgency=low
> >> +
> >> + * Do not attempt to run update hooks out of /var/run, since it's mounted
> >> + noexec; use /var/tmp instead (Trac: #1461)
> >> + * Delete the script upon successful execution
> >> +
> >> + -- Jonathan Reed <jdreed@mit.edu> Tue, 13 May 2014 15:32:36 -0400
> >> +
> >> debathena-auto-update (1.44) unstable; urgency=low
> >>
> >> * Add git-buildpackage configuration
>
