usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard
verified publisher icon USBGuard

Insecure Temporary Files

Open topimiettinen opened this issue 6 years ago • 3 comments

Usbguard-daemon creates files in world-writable directories (/dev/shm, /tmp) with rather predictable file names (e.g. /dev/shm/qb-usbguard-request-7096-835-12-data). Also O_EXCL flag is not used when opening the files. This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).

Maybe usbguard-daemon could initialize IPC server with qb_ipcs_create("usbguard-XXXXXX",,,,) to make libqb to use mkstemp() for the files, but the problem is also on libqb's side (for example not using O_EXCL). I would not use files for IPC.

topimiettinen avatar Mar 01 '19 13:03 topimiettinen

I've opened issue ClusterLabs/libqb#338 for libqb.

topimiettinen avatar Mar 01 '19 14:03 topimiettinen

Maybe usbguard-daemon could initialize IPC server with qb_ipcs_create("usbguard-XXXXXX",,,,) to make libqb to use mkstemp() for the files

Sadly that won't work, since XXXXXX needs to be the final suffix, which won't be the case here (rather -header etc. will be such a suffix).

but the problem is also on libqb's side (for example not using O_EXCL).

Agree. I actually briefly thought about this surface in the past, related to some other issues, but then it got backgrounded for other prio stuff.

jnpkrn avatar Mar 04 '19 14:03 jnpkrn

Addition of the "PrivateTmp=true" systemd profile setting as described in #231 would mitigate this issue. Of course it'd be best if it's secured both inside the daemon as well as in the profile.

arjenlentz avatar Apr 03 '20 08:04 arjenlentz