You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Lazy <la...@gmail.com> on 2012/11/05 00:18:43 UTC

Re: [patch] Fix cross-user symlink race condition vulnerability

2012/10/31 Eric Jacobs <ej...@bluehost.com>:
> On 10/31/2012 06:00 AM, Eric Covener wrote:
>>
>> In general that is the proper form -- but this particular issue is
>> documented as a limitation:
>>
>> "Omitting this option should not be considered a security restriction,
>> since symlink testing is subject to race conditions that make it
>> circumventable."
>
>
> Some users (like Bluehost) require the functionality of symlinks without the
> possibility of server side vulnerabilities. Having the vulnerability
> documented doesn't keep servers safe. The patch I submitted allows httpd to
> use symlinks in a protected fashion that doesn't allow for users to serve
> arbitrary files.
>
> I'll go ahead and submit a more detailed email to the security. More
> feedback from the devs is appreciated.

on some systems, at least on Linux You can use a grsecurity kernel
patch feature which prevents those races
and is cheeper performance wise

+config GRKERNSEC_SYMLINKOWN
+       bool "Kernel-enforced SymlinksIfOwnerMatch"
+       default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
+       help
+         Apache's SymlinksIfOwnerMatch option has an inherent race condition
+         that prevents it from being used as a security feature.  As Apache
+         verifies the symlink by performing a stat() against the target of
+         the symlink before it is followed, an attacker can setup a symlink
+         to point to a same-owned file, then replace the symlink with one
+         that targets another user's file just after Apache "validates" the
+         symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+         race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+         will be in place for the group you specify. If the sysctl option
+         is enabled, a sysctl option with name "enforce_symlinksifowner" is
+         created.

there probably is something similar on *BSD's, or if there isn't it
won't be hard to make

Your patch checks for a race conditions every time, even if Symlinks
weren't allowed. It also references some
configuration dependent directory like /usr/local/apache/htdocs.

-- 
Michal Grzedzicki