D14467: Auth Support: Drop privileges if target is not owned by root

Malte Kraus noreply at phabricator.kde.org
Fri Jun 21 11:04:20 BST 2019 

maltek requested changes to this revision.
maltek added a comment.
This revision now requires changes to proceed.


  I noticed a few more things on the second read.

INLINE COMMENTS

> filehelper.cpp:123
> +    const QByteArray baseName = basename(tempPath2.data());
> +    int parent_fd = open(parentDir.data(), O_DIRECTORY | O_PATH | O_NOFOLLOW);
> +    int base_fd = -1;

This needs error handling.

> filehelper.cpp:129
> +
> +    if (action != CHMOD & action != CHOWN && action != UTIME) {
> +        targetPrivilege = getTargetPrivilege(parent_fd);

typo: there's a second & missing after the first condition. (I don't think it ends up affecting the result.)

> filehelper.cpp:132
> +    } else {
> +        base_fd = openat(parent_fd, baseName.data(), O_NOFOLLOW);
> +        targetPrivilege = getTargetPrivilege(base_fd);

There's no error handling here, which will likely lead to weird `EBADF` errors getting returned later.

> filehelper.cpp:133
> +        base_fd = openat(parent_fd, baseName.data(), O_NOFOLLOW);
> +        targetPrivilege = getTargetPrivilege(base_fd);
>      }

For `chown`, dropping privileges here means that the `chown` later can't succeed - it's not possible to 'gift' a file to another user. I think it should be handled more like `DEL/RMDIR/MKDIR` etc.

> filehelper.cpp:150
> +                int gid = arg3.toInt();
> +                if (fchown(base_fd, uid, gid) == -1) {
> +                    reply.setError(errno);

I just realized that this wouldn't allow changing the owner of symbolic links. The way to go here is `lchown`.

> filehelper.cpp:187
> +                gainPrivilege(origPrivilege);
> +                bool sendSuccess = sendFileDescriptor(fd, arg4.toByteArray().constData());
> +                if (fd != -1 && sendSuccess) {

In the error case, this attempts sending fd `-1`. I haven't checked the underlying code, but this will probably pollute `errno` with something unrelated to the underlying error.

> filehelper.cpp:209
> +                if (symlinkat(target.data(), parent_fd, baseName.data()) == -1) {
> +                    return reply;
> +                }

This early return skips all the deintialization code in the end of the function. Shouldn't it just be `reply.setError(errno);` like for all the other operations?

REPOSITORY
  R241 KIO

REVISION DETAIL
  https://phabricator.kde.org/D14467

To: chinmoyr, dfaure, ngraham, elvisangelaccio, #frameworks, #dolphin, maltek
Cc: maltek, mreeves, mgerstner, fvogt, kde-frameworks-devel, LeGast00n, michaelh, ngraham, bruns
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20190621/eb9ca76b/attachment-0001.html>

More information about the Kde-frameworks-devel mailing list