checkpath in OpenRC through 0.42.1 might allow local users to take ownership of arbitrary files because a non-terminal path component can be a symlink
More information: http://michael.orlitzky.com/cves/cve-2018-21269.xhtml
I have received a couple of suggestions for this, neither is quite what
I would want.
- make checkpath only check things without changing them (this would break
- use linux specific fixes (this would cause different behavior for
There was a long thread about in January 2018:
In summary: checkpath promises something it can't safely do, so checkpath should be deprecated and replaced by something that promises less.
I called it "newpath" in that thread, and there are two main things that need to happen:
* The new helper should be able to drop privileges before it acts. This is
basically just a portable "su", since "su" itself is not portable.
* The new helper should verify, from the root up, that it never traverses a
directory that is writable by anyone other than root or itself. You can
steal part of the systemd tmpfiles implementation for this.
I also think the new helper should refuse to modify the ownership or permissions on an existing file or directory. (Attempting to do so is fine, if the operation would turn out to be a no-op.)
Once those things are done, the basic pattern is...
1. Create a "top-level" user-writable path within a root-only path.
For example, "newpath --directory /run/foo"
2. Drop privileges and create/modify whatever you need beneath that
"top-level" path as the restricted user. For example,
"newpath --as=foo --file /run/foo/bar"
(In reply to Michael Orlitzky from comment #4)
> Once those things are done, the basic pattern is...
> 1. Create a "top-level" user-writable path within a root-only path.
> For example, "newpath --directory /run/foo"
Whoops, for the example to make sense that should be:
newpath --owner=foo --directory /run/foo
that way the "foo" user can write to it in step 2.