30992 – libsandbox doesn't check the old path while renaming

Bug 30992 - libsandbox doesn't check the old path while renaming

Summary: libsandbox doesn't check the old path while renaming

Status:	RESOLVED FIXED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Unclassified (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Portage team

URL:
Whiteboard:
Keywords:	Inclusion

Depends on:
Blocks:

Reported:	2003-10-12 14:39 UTC by Andrea Luzzardi
Modified:	2011-10-30 22:22 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
libsandbox.c patch to make sandbox check the oldpath (sandbox_forbid_rename.patch,190 bytes, patch) 2003-10-12 14:40 UTC, Andrea Luzzardi	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrea Luzzardi 2003-10-12 14:39:07 UTC

sandbox's rename checks only the newpath while renaming.
This mean that a sandbox'ed process can move every file/directory they want from the system to a sandbox'ed write path. e.g.:
"rm /etc/passwd" inside the sandbox will not work, but something like:
"mv /etc/passwd . && rm passwd" will (assuming the current directory is in SANDBOX_WRITE).

I've made a small patch which checks the oldpath. Seems to work here, but i don't know if it'll break some packages.

Comment 1 Andrea Luzzardi 2003-10-12 14:40:58 UTC

Created attachment 19147 [details, diff]
libsandbox.c patch to make sandbox check the oldpath

Comment 2 Martin Schlemmer (RETIRED) gentoo-dev

2003-10-13 12:46:26 UTC

Fixed in CVS.  Nick, I guess we can mark this as an possible security exploit,
although that is not really what sandbox is used for ?  Anyhow, could you
push for next portage revision ? thanks.

Comment 3 Nicholas Jones (RETIRED) gentoo-dev

2003-10-26 20:27:29 UTC

Out in -r15