Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Metadata validation and other security improvements #346

Merged
merged 13 commits into from
Feb 23, 2022
Merged

Metadata validation and other security improvements #346

merged 13 commits into from
Feb 23, 2022

Conversation

ebiggers
Copy link
Collaborator

This pull request makes a large number of changes (mostly related to the metadata storage) to address some reported security issues, as well as go a bit beyond the specific current issues and reduce the attack surface for the future.

For the immediate security issues, make the following changes:

  • Fix fscrypt status and the bash completion script to handle maliciously-crafted mountpoint paths.
  • Validate the size and type of all metadata files before trying to read them.
  • Reject any login protectors that are owned by the wrong user, as they could be maliciously spoofed.
  • Make fscrypt setup offer the user a choice between world-writable mode (the previous behavior) and single-user-writable mode (which for security reasons is the new default behavior, but most users should be fine with world-writable).

For additional hardening, make the following changes:

  • When running as a non-root user, don't read any metadata files owned by, or in a directory owned by, another non-root user. An opt-out flag for this is provided in /etc/fscrypt.conf if this particular change causes problems.
  • Create all metadata files with mode 0600, rather than the default of 0644. To make this possible, some additional changes are made to prevent files from being owned by root when they should be owned by a regular user.
  • Make pam_fscrypt ignore system users entirely.

I've split the changes into individual commits. They should be easier to review individually.

@ebiggers ebiggers requested a review from josephlr February 16, 2022 07:45
@josephlr
Copy link
Member

Thank you for splitting this up! Reviewing now

Copy link
Member

@josephlr josephlr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviews though the first 3 commits, I'll try to have comments on the rest before end-of-week.

filesystem/mountpoint_test.go Outdated Show resolved Hide resolved
filesystem/mountpoint_test.go Outdated Show resolved Hide resolved
filesystem/filesystem.go Outdated Show resolved Hide resolved
filesystem/filesystem.go Show resolved Hide resolved
filesystem/filesystem.go Outdated Show resolved Hide resolved
filesystem/filesystem.go Outdated Show resolved Hide resolved
filesystem/filesystem.go Outdated Show resolved Hide resolved
filesystem/filesystem.go Outdated Show resolved Hide resolved
filesystem/filesystem.go Outdated Show resolved Hide resolved
cmd/fscrypt/fscrypt_bash_completion Show resolved Hide resolved
@ebiggers ebiggers force-pushed the fixes branch 3 times, most recently from 616cbd2 to bfdfa8d Compare February 17, 2022 08:44
@mgerstner
Copy link

Overall the changes look good to me. Thanks for considering the additional hardenings.

@ebiggers
Copy link
Collaborator Author

One potential issue with mode 0755 metadata directories: as proposed in this pull request currently, it won't be possible for non-root users to update policies or protectors they own, since for atomicity reasons fscrypt implements updates using a create followed a replace, rather than using a direct overwrite.

Notably, this would break the pam_fscrypt functionality that updates a user's login protector when they change their passphrase.

There are two potential solutions to this:

1.) Make the Chauthtok function of pam_fscrypt not drop privileges to the user. Disadvantage: this would increase the attack surface.
2.) Make updates fall back to direct overwrites if the process lacks permission to create files. Disadvantage: in general, this would make updates non-atomic, i.e. there would be a window where the file would be lost in the event of a system crash. That is obviously an undesirable property, although I'm not sure how much it matters in practice --- it might be a super small window, or perhaps the overwrites would actually still be atomic in most cases due to the files usually being smaller than the disk sector size.

@josephlr, any thoughts about which one of the above two we should choose?

@josephlr
Copy link
Member

josephlr commented Feb 22, 2022

@ebiggers My preference would be for option (2) if we have to choose. It works better with fscrypt's other commands that modify protectors/policies. It would also only be non-atomic in the following (narrow) cases:

  • the user has /.fscrypt setup as root-only
  • root has explicitly given a user ownership of a protector/policy file (which isn't done by default)
  • that user makes a change to one of their policies or protectors

In addition to option (2), in a follow up PR we could create a dedicated "tmp" file owned by root (with 1777 permissions) that could be used to make things atomic. In that case we would need to worry about data corruption concerns and locking, so it might not be the best choice. But we can discuss that approach later.

@ebiggers ebiggers force-pushed the fixes branch 2 times, most recently from 0385896 to 4a67ecf Compare February 23, 2022 06:52
Following the example of /proc/self/mountinfo, replace the space,
newline, tab, and backslash characters with octal escape sequences so
that the output can be parsed unambiguously.
Mountpoint paths might be untrusted arbitrary strings; the fscrypt bash
completion script might need to complete to such strings.
Unfortunately, the design of bash completion places some major footguns
in the way of doing this correctly and securely:

   - "compgen -W" expands anything passed to it, so the argument to -W
     must be single-quoted to avoid an extra level of expansion.

   - The backslashes needed to escape meta-characters in the completed
     text aren't added automatically; they must be explicitly added.

Note that the completion script for 'umount' used to have these same
bugs (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179,
util-linux/util-linux#539).

Fix these bugs in roughly the same way that 'umount' fixed them.
Don't allow reading metadata files that are very large, as they can
crash the program due to the memory required.  Similarly, don't allow
reading metadata files that aren't regular files, such as FIFOs, or
symlinks (which could point to a device node like /dev/zero), as that
can hang the program.  Both issues were particularly problematic for
pam_fscrypt, as they could prevent users from being able to log in.

Note: these checks are arguably unneeded if we strictly check the file
ownership too, which a later commit will do.  But there's no reason not
to do these basic checks too.
If a login protector contains a UID that differs from the file owner
(and the file owner is not root), it might be a spoofed file that was
created maliciously, so make sure to consider such files to be invalid.
To allow users to update fscrypt metadata they own in
single-user-writable metadata directories (introduced by the next
commit), fall back to non-atomic overwrites when atomic ones can't be
done due to not having write access to the directory.
World-writable directories are not appropriate for some systems, so
offer a choice of single-user-writable and world-writable modes, with
single-user-writable being the default.  Add a new documentation section
to help users decide which one to use.
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
A previous commit extended file ownership validation to policy and
protector files (by default -- there's an opt-out in /etc/fscrypt.conf).

However, that didn't apply to the parent directories:

	MOUNTPOINT
	MOUNTPOINT/.fscrypt
	MOUNTPOINT/.fscrypt/policies
	MOUNTPOINT/.fscrypt/protectors

The problem is that if the parent directories aren't trusted (owned by
another non-root user), then untrusted changes to their contents can be
made at any time, including the introduction of symlinks and so on.

While it's debatable how much of a problem this really is, given the
other validations that are done, it seems to be appropriate to validate
the parent directories too.

Therefore, this commit applies the same ownership validations to the
above four directories as are done on the metadata files themselves.

In addition, it is validated that none of these directories are symlinks
except for ".fscrypt" where this is explicitly supported.
Since commit 4c7c663 ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf.  That's good, but the same isn't true of other
files that get created at the same time:

- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file

In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.
Since fscrypt replaces metadata files rather than overwrites them (to
get atomicity), their owner will change to root if root makes a change.
That isn't too much of an issue when the files have mode 0644.  However,
it will become a much bigger issue when the files have mode 0600,
especially because existing files with mode 0644 would also get changed
to have mode 0600.

In preparation for this, start preserving the previous owner and mode of
policy and protector files when they are updated.
Currently, fscrypt policies and protectors are world readable, as they
are created with mode 0644.  While this can be nice for use cases where
users share these files, those use cases seem to be quite rare, and it's
not a great default security-wise since it exposes password hashes to
all users.  While fscrypt uses a very strong password hash algorithm, it
would still be best to follow the lead of /etc/shadow and keep this
information non-world-readable.

Therefore, start creating these files with mode 0600.

Of course, if users do actually want to share these files, they have the
option of simply chmod'ing them to a less restrictive mode.  An option
could also be added to make fscrypt use the old mode 0644; however, the
need for that is currently unclear.
If the error is anything other than ErrNotSetup, it might be helpful to
know what is going on.
pam_fscrypt should never need to do anything for system users, so detect
them early so that we can avoid wasting any resources looking for their
login protector.
@ebiggers
Copy link
Collaborator Author

@ebiggers My preference would be for option (2) if we have to choose. It works better with fscrypt's other commands that modify protectors/policies. It would also only be non-atomic in the following (narrow) cases:

  • the user has /.fscrypt setup as root-only
  • root has explicitly given a user ownership of a protector/policy file (which isn't done by default)
  • that user makes a change to one of their policies or protectors

In addition to option (2), in a follow up PR we could create a dedicated "tmp" file owned by root (with 1777 permissions) that could be used to make things atomic. In that case we would need to worry about data corruption concerns and locking, so it might not be the best choice. But we can discuss that approach later.

I've implemented option (2) as the "least bad" option. Note that unfortunately it will be used a bit more widely than stated above. Notably, login protectors are owned by the user, and when the user changes their passphrase, pam_fscrypt updates the login protector using the user's privileges. That case will use the non-atomic overwrite.

@ebiggers ebiggers merged commit 91aa3eb into master Feb 23, 2022
@ebiggers ebiggers deleted the fixes branch February 23, 2022 20:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants