[GHC] #8058: If .ghci is a symlink, permissions aren't read correctly
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------------------+------------------------------- Reporter: berdario | Owner: Type: bug | Status: new Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Keywords: | Operating System: Architecture: Unknown/Multiple | Unknown/Multiple Difficulty: Easy (less than 1 hour) | Type of failure: Other Blocked By: | Test Case: Related Tickets: | Blocking: -------------------------------------------+------------------------------- dario@macbook ~> ls -l .ghci lrwxrwxrwx 1 dario dario 40 Jul 14 15:27 .ghci -> /home/dario/.dotfiles/dotfiles/ghci.conf dario@macbook ~> ls -l (readlink -f .ghci) -rw-r--r-- 1 dario dario 10 Jul 14 15:25 /home/dario/.dotfiles/dotfiles/ghci.conf dario@macbook ~> ghci GHCi, version 7.6.2: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer-gmp ... linking ... done. Loading package base ... linking ... done. *** WARNING: /home/dario/.dotfiles/dotfiles is writable by someone else, IGNORING! Prelude> Obviously, /home/dario/.dotfiles/dotfiles isn't writable by someone else... Someone else could actually delete the symlink and maybe recreate it... but it couldn't inject malicious commands in the .ghci, unless the file pointed by the symlink was also writable by the attacker, in which case, checking the permissions of the target of the symlink would still prevent any wrongdoing -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------+------------------------------------------- Reporter: berdario | Owner: Type: bug | Status: new Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Resolution: | Keywords: Operating System: | Architecture: Unknown/Multiple Unknown/Multiple | Difficulty: Easy (less than 1 hour) Type of failure: Other | Blocked By: Test Case: | Related Tickets: Blocking: | -------------------------------+------------------------------------------- Comment (by berdario): {{{ dario@macbook ~> ls -l .ghci lrwxrwxrwx 1 dario dario 40 Jul 14 15:27 .ghci -> /home/dario/.dotfiles/dotfiles/ghci.conf dario@macbook ~> ls -l (readlink -f .ghci) -rw-r--r-- 1 dario dario 10 Jul 14 15:25 /home/dario/.dotfiles/dotfiles/ghci.conf dario@macbook ~> ghci GHCi, version 7.6.2: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer-gmp ... linking ... done. Loading package base ... linking ... done. *** WARNING: /home/dario/.dotfiles/dotfiles is writable by someone else, IGNORING! Prelude> }}} Obviously, /home/dario/.dotfiles/dotfiles isn't writable by someone else... Someone else could actually delete the symlink and maybe recreate it... but it couldn't inject malicious commands in the .ghci, unless the file pointed by the symlink was also writable by the attacker, in which case, checking the permissions of the target of the symlink would still prevent any wrongdoing -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058#comment:1 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------+------------------------------------------- Reporter: berdario | Owner: Type: bug | Status: closed Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Resolution: invalid | Keywords: Operating System: | Architecture: Unknown/Multiple Unknown/Multiple | Difficulty: Easy (less than 1 hour) Type of failure: Other | Blocked By: Test Case: | Related Tickets: Blocking: | -------------------------------+------------------------------------------- Changes (by leroux): * status: new => closed * resolution: => invalid Comment: Reformatted output from berdario: {{{ $ ls -l .ghci lrwxrwxrwx 1 dario dario 40 Jul 14 15:27 .ghci -> /home/dario/.dotfiles/dotfiles/ghci.conf $ ls -l (readlink -f .ghci) -rw-r--r-- 1 dario dario 10 Jul 14 15:25 /home/dario/.dotfiles/dotfiles/ghci.conf $ ghci GHCi, version 7.6.2: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer-gmp ... linking ... done. Loading package base ... linking ... done. * WARNING: /home/dario/.dotfiles/dotfiles is writable by someone else, IGNORING! Prelude> }}} The attacker could symlink `.ghci` to another file which has malicious code. ---- Output from my system: {{{ $ ls -l .ghci lrwxr-xr-x 1 leroux staff 44 Jul 30 10:02 .ghci -> /Users/leroux/.dotfiles/haskell/ghci.symlink $ ls -l `readlink .ghci` -rwxr-x--- 1 leroux staff 338 Sep 22 18:59 /Users/leroux/.dotfiles/haskell/ghci.symlink }}} ---- Fix: {{{ $ chmod 755 .ghci }}} -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058#comment:2 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------+------------------------------------------- Reporter: berdario | Owner: Type: bug | Status: closed Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Resolution: invalid | Keywords: Operating System: | Architecture: Unknown/Multiple Unknown/Multiple | Difficulty: Easy (less than 1 hour) Type of failure: Other | Blocked By: Test Case: | Related Tickets: Blocking: | -------------------------------+------------------------------------------- Comment (by rwbarton): On Linux, as far as I know, symlinks don't have permissions (`ls -l` will always report `lrwxrwxrwx`). Permission to delete or modify a symlink is based on write permission for the directory containing the symlink. In any event, ghci shouldn't be claiming that "/home/dario/.dotfiles/dotfiles is writable by someone else" if it isn't. But I can't reproduce this (in ghci 7.4.2): I only get a message like that when either the directory containing the target of the symlink or the target itself really is writable by someone else. In other words, the permissions checks seem to be working correctly for me when .ghci is a symlink (on Linux, ghci version 7.4.2). -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058#comment:3 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------+------------------------------------------- Reporter: berdario | Owner: Type: bug | Status: closed Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Resolution: invalid | Keywords: Operating System: | Architecture: Unknown/Multiple Unknown/Multiple | Difficulty: Easy (less than 1 hour) Type of failure: Other | Blocked By: Test Case: | Related Tickets: Blocking: | -------------------------------+------------------------------------------- Comment (by rwbarton): berdario, are you sure /home/dario/.dotfiles/dotfiles really isn't writable by anyone else? If so please reopen this ticket. (I don't have ghci 7.6.2 or a Mac OS machine handy to test on.) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058#comment:4 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------+------------------------------------------- Reporter: berdario | Owner: Type: bug | Status: closed Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Resolution: invalid | Keywords: Operating System: | Architecture: Unknown/Multiple Unknown/Multiple | Difficulty: Easy (less than 1 hour) Type of failure: Other | Blocked By: Test Case: | Related Tickets: Blocking: | -------------------------------+------------------------------------------- Comment (by leroux): {{{ $ ghci GHCi, version 7.6.3: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer-gmp ... linking ... done. Loading package base ... linking ... done. *** WARNING: /Users/leroux/Dropbox/src/dotfiles/haskell is writable by someone else, IGNORING! Prelude> Leaving GHCi. $ ls -l .ghci lrwxr-xr-x 1 leroux staff 44 Jul 30 10:02 .ghci -> /Users/leroux/.dotfiles/haskell/ghci.symlink $ ls -l `readlink .ghci` -rwxr-x--- 1 leroux staff 338 Sep 22 18:59 /Users/leroux/.dotfiles/haskell/ghci.symlink $ ls -ld `dirname $(readlink .ghci)` # this is equivalent to `/home/dario/.dotfiles/dotfiles` drwxr-x--x 4 leroux staff 136 Aug 9 00:41 /Users/leroux/.dotfiles/haskell # making the home of .ghci writable $ chmod ugo+w `dirname $(readlink .ghci)` $ ls -ld `dirname $(readlink .ghci)` drwxrwx-wx 4 leroux staff 136 Aug 9 00:41 /Users/leroux/.dotfiles/haskell $ ghci GHCi, version 7.6.3: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer-gmp ... linking ... done. Loading package base ... linking ... done. *** WARNING: /Users/leroux/Dropbox/src/dotfiles/haskell is writable by someone else, IGNORING! }}} Note that `/Users/leroux/.dotfiles/haskell` is equivalent to `/home/dario/.dotfiles/dotfiles` as they are the directory where `.ghci` file lives. ---- berdario, it'd be helpful if you let us know what the directory permissions are (as rwbarton asked): {{{ ls -ld `dirname $(readlink .ghci) }}} -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058#comment:5 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------+------------------------------------------- Reporter: berdario | Owner: Type: bug | Status: closed Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Resolution: invalid | Keywords: Operating System: | Architecture: Unknown/Multiple Unknown/Multiple | Difficulty: Easy (less than 1 hour) Type of failure: Other | Blocked By: Test Case: | Related Tickets: Blocking: | -------------------------------+------------------------------------------- Comment (by leroux): I should also add that the proper fix is: {{{ $ chmod go-w `dirname $(readlink .ghci)` }}} instead of {{{ $ chmod 755 `dirname $(readlink .ghci)` }}} -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058#comment:6 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------+------------------------------------------- Reporter: berdario | Owner: Type: bug | Status: closed Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Resolution: invalid | Keywords: Operating System: | Architecture: Unknown/Multiple Unknown/Multiple | Difficulty: Easy (less than 1 hour) Type of failure: Other | Blocked By: Test Case: | Related Tickets: Blocking: | -------------------------------+------------------------------------------- Comment (by berdario): Uhm, "writable by someone else" seems to include the group, even if the group "dario" doesn't include any user other than "dario" himself. Why does ghci care about the permissions of the parent directory by the way? I just tried and it seems that on linux, having writing permissions for a directory isn't enough to move it away (and substitute it with a malicious one) (fwiw: this is a linux box with hostname "macbook", not macosx... sorry for the confusion) So, if for some reason (other unices?) we really need to check the permissions of the parent directory, the error message may mention it Also, "someone else" is quite a fuzzy concept... "has to have write permission for only your user" might be better? {{{ dario@macbook ~> ls -ld (dirname (readlink .ghci)) drwxrwxr-x 7 dario dario 4096 Sep 12 22:19 /home/dario/.dotfiles/dotfiles/ dario@macbook ~> ghci GHCi, version 7.6.2: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer-gmp ... linking ... done. Loading package base ... linking ... done. *** WARNING: /home/dario/.dotfiles/dotfiles is writable by someone else, IGNORING! Prelude> Leaving GHCi. dario@macbook ~> chmod g-w (dirname (readlink .ghci)) dario@macbook ~> ghci GHCi, version 7.6.2: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer-gmp ... linking ... done. Loading package base ... linking ... done. Prelude> Leaving GHCi. }}} Thank you -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058#comment:7 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------+------------------------------------------- Reporter: berdario | Owner: Type: bug | Status: closed Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Resolution: invalid | Keywords: Operating System: | Architecture: Unknown/Multiple Unknown/Multiple | Difficulty: Easy (less than 1 hour) Type of failure: Other | Blocked By: Test Case: | Related Tickets: Blocking: | -------------------------------+------------------------------------------- Comment (by berdario): btw, ghci only checks the permissions of the parent directory, but if we want to check directory permissions it should be done recursively up to the root, doesn't it? otherwise, someone who managed to get permissions for ~/.dotfiles/ but not ~/.dotfiles/dotfiles/ (or ~/ but not ~/.dotfiles/ ) might be able to move away the whole dotfiles directory {{{ dario@macbook ~> ghci GHCi, version 7.6.2: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer-gmp ... linking ... done. Loading package base ... linking ... done. Prelude> Leaving GHCi. dario@macbook ~> ls -l (readlink .ghci) -rw-r--r-- 1 dario dario 10 Jul 14 15:25 /home/dario/.dotfiles/dotfiles/ghci.conf dario@macbook ~> ls -ld (dirname (readlink .ghci)) drwxr-xr-x 7 dario dario 4096 Sep 24 12:22 /home/dario/.dotfiles/dotfiles/ dario@macbook ~> ls -ld (dirname (dirname (readlink .ghci))) drwxrwxr-x 5 dario dario 4096 May 13 20:19 /home/dario/.dotfiles/ }}} Or is this uninteresting, due to the fact that changing a whole directory is likely going to make errors happen the next time the user needs those files? (otoh: if they're readable, the attacker could just move away the directory and copy the old files, as to minimize the impact of the intrusion) -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058#comment:8 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
#8058: If .ghci is a symlink, permissions aren't read correctly -------------------------------+------------------------------------------- Reporter: berdario | Owner: Type: bug | Status: closed Priority: low | Milestone: Component: GHCi | Version: 7.6.2 Resolution: invalid | Keywords: Operating System: | Architecture: Unknown/Multiple Unknown/Multiple | Difficulty: Easy (less than 1 hour) Type of failure: Other | Blocked By: Test Case: | Related Tickets: Blocking: | -------------------------------+------------------------------------------- Comment (by leroux): It may be helpful to clarify what the problem is (as berdario mentioned). I guess the clarification would be to append "<dir> should only be writable by the user (o+w)". -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8058#comment:9 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler
participants (1)
-
GHC