From: Karel Zak <kzak@redhat.com>
To: Stanislav Brabec <sbrabec@suse.cz>
Cc: util-linux@vger.kernel.org, Ali Abdallah <ali.abdallah@suse.com>
Subject: Re: [PATCH] Whitelist libuuid clock file
Date: Tue, 25 Jan 2022 15:30:32 +0100 [thread overview]
Message-ID: <20220125143032.p6otx2vhvft5qwu2@ws.net.home> (raw)
In-Reply-To: <257bafee-3014-d3dc-ca4c-cc1f0504fca2@suse.cz>
On Tue, Jan 25, 2022 at 12:37:09PM +0100, Stanislav Brabec wrote:
> Karel Zak wrote:
> >
> > OK, seems better than my solution ;-) Thanks!
> Actually, I found a very exotic failure of uuidd accessing clock.txt, which
> is not yet covered:
>
> ls -al /var/lib/libuuid/clock.txt
> -rw-rw---- 1 root root 56 Jan 25 11:48 /var/lib/libuuid/clock.txt
> i. e. root owned clock.txt
>
> It happens only if more conditions are met:
> - /var/lib/libuuid exists
> - uuidd is not running nor socket activated
> - uuigden --time is called as root
And vice-versa, if you stop uuidd and start uuidgen as normal user you
get EACCES for /var/lib/libuuid/clock.txt, but this use-case is
probably not so important ...
> If this happens, /var/lib/libuuid/clock.txt is written as root:root by the
> code in libuuid/src/gen_uuid.c:get_clock(). When uuidd is started later, it
> is unable to use clock.txt.
...
> So I think it should be addressed. But I am not sure how to fix it properly
> in the systemd service file.
> ExecStartPre=-/usr/bin/chown uuidd:uuidd /var/lib/libuuid/clock.txt
> does not work:
> /usr/bin/chown: changing ownership of '/var/lib/libuuid/clock.txt':
> Operation not permitted
What about to create a user specific clock state file if we cannot access
the default one due to EACCES? Something like:
state_fd = open(LIBUUID_CLOCK_FILE, O_RDWR|O_CREAT|O_CLOEXEC, 0660);
if (state_fd < 0 &7 errno == EACCES) {
snprintf(path, "%s-%d", LIBUUID_CLOCK_FILE, getuid());
state_fd = open(path, O_RDWR|O_CREAT|O_CLOEXEC, 0660);
}
so for the bad use-case:
/var/lib/libuuid/clock.txt
/var/lib/libuuid/clock.txt-<uuidd_uid>
in theory it means two clock queues, but if uuidd is running then
libuuid/getuuid always uses it.
The important is that in this way we can be sure uuidd is always
successful, and I guess the sensitive use-case (SAP;-) is always about
uuidd. IMHO it's more robust then depend on systemd ExecStartPre (or
so).
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
next prev parent reply other threads:[~2022-01-25 14:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-25 10:17 [PATCH] Whitelist libuuid clock file Stanislav Brabec
2022-01-25 10:53 ` Karel Zak
2022-01-25 11:37 ` Stanislav Brabec
2022-01-25 14:30 ` Karel Zak [this message]
2022-01-26 15:07 ` Stanislav Brabec
2022-01-26 21:24 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220125143032.p6otx2vhvft5qwu2@ws.net.home \
--to=kzak@redhat.com \
--cc=ali.abdallah@suse.com \
--cc=sbrabec@suse.cz \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.