Opened 22 months ago

Closed 19 months ago

Last modified 19 months ago

#8058 closed bug (invalid)

If .ghci is a symlink, permissions aren't read correctly

Reported by: berdario Owned by:
Priority: low Milestone:
Component: GHCi Version: 7.6.2
Keywords: Cc:
Operating System: Unknown/Multiple Architecture: Unknown/Multiple
Type of failure: Other Test Case:
Blocked By: Blocking:
Related Tickets: Differential Revisions:

Description

dario@macbook ~> ls -l .ghci
lrwxrwxrwx 1 dario dario 40 Jul 14 15:27 .ghci -> /home/dario/.dotfiles/dotfiles/ghci.conf
dario@macbook ~> ls -l (readlink -f .ghci)
-rw-r--r-- 1 dario dario 10 Jul 14 15:25 /home/dario/.dotfiles/dotfiles/ghci.conf
dario@macbook ~> ghci
GHCi, version 7.6.2: http://www.haskell.org/ghc/ :? for help
Loading package ghc-prim ... linking ... done.
Loading package integer-gmp ... linking ... done.
Loading package base ... linking ... done.
* WARNING: /home/dario/.dotfiles/dotfiles is writable by someone else, IGNORING!
Prelude>

Obviously, /home/dario/.dotfiles/dotfiles isn't writable by someone else...

Someone else could actually delete the symlink and maybe recreate it... but it couldn't inject malicious commands in the .ghci, unless the file pointed by the symlink was also writable by the attacker, in which case, checking the permissions of the target of the symlink would still prevent any wrongdoing

Change History (9)

comment:1 Changed 22 months ago by berdario

dario@macbook ~> ls -l .ghci lrwxrwxrwx 1 dario dario 40 Jul 14 15:27 .ghci -> /home/dario/.dotfiles/dotfiles/ghci.conf
dario@macbook ~> ls -l (readlink -f .ghci) -rw-r--r-- 1 dario dario 10 Jul 14 15:25 /home/dario/.dotfiles/dotfiles/ghci.conf
dario@macbook ~> ghci GHCi, version 7.6.2: http://www.haskell.org/ghc/ :? for help 
Loading package ghc-prim ... linking ... done. 
Loading package integer-gmp ... linking ... done. 
Loading package base ... linking ... done. 
*** WARNING: /home/dario/.dotfiles/dotfiles is writable by someone else, IGNORING!
Prelude>

Obviously, /home/dario/.dotfiles/dotfiles isn't writable by someone else...

Someone else could actually delete the symlink and maybe recreate it... but it couldn't inject malicious commands in the .ghci, unless the file pointed by the symlink was also writable by the attacker, in which case, checking the permissions of the target of the symlink would still prevent any wrongdoing

comment:2 Changed 19 months ago by leroux

  • Resolution set to invalid
  • Status changed from new to closed

Reformatted output from berdario:

$ ls -l .ghci
lrwxrwxrwx 1 dario dario 40 Jul 14 15:27 .ghci -> /home/dario/.dotfiles/dotfiles/ghci.conf

$ ls -l (readlink -f .ghci)
-rw-r--r-- 1 dario dario 10 Jul 14 15:25 /home/dario/.dotfiles/dotfiles/ghci.conf

$ ghci
GHCi, version 7.6.2: http://www.haskell.org/ghc/ :? for help
Loading package ghc-prim ... linking ... done.
Loading package integer-gmp ... linking ... done.
Loading package base ... linking ... done.
* WARNING: /home/dario/.dotfiles/dotfiles is writable by someone else, IGNORING!
Prelude>

The attacker could symlink .ghci to another file which has malicious code.


Output from my system:

$ ls -l .ghci
lrwxr-xr-x  1 leroux  staff  44 Jul 30 10:02 .ghci -> /Users/leroux/.dotfiles/haskell/ghci.symlink

$ ls -l `readlink .ghci`
-rwxr-x---  1 leroux  staff  338 Sep 22 18:59 /Users/leroux/.dotfiles/haskell/ghci.symlink
Last edited 19 months ago by leroux (previous) (diff)

comment:3 Changed 19 months ago by rwbarton

On Linux, as far as I know, symlinks don't have permissions (ls -l will always report lrwxrwxrwx). Permission to delete or modify a symlink is based on write permission for the directory containing the symlink.

In any event, ghci shouldn't be claiming that "/home/dario/.dotfiles/dotfiles is writable by someone else" if it isn't. But I can't reproduce this (in ghci 7.4.2): I only get a message like that when either the directory containing the target of the symlink or the target itself really is writable by someone else. In other words, the permissions checks seem to be working correctly for me when .ghci is a symlink (on Linux, ghci version 7.4.2).

comment:4 Changed 19 months ago by rwbarton

berdario, are you sure /home/dario/.dotfiles/dotfiles really isn't writable by anyone else? If so please reopen this ticket. (I don't have ghci 7.6.2 or a Mac OS machine handy to test on.)

comment:5 Changed 19 months ago by leroux

$ ghci
GHCi, version 7.6.3: http://www.haskell.org/ghc/  :? for help
Loading package ghc-prim ... linking ... done.
Loading package integer-gmp ... linking ... done.
Loading package base ... linking ... done.
*** WARNING: /Users/leroux/Dropbox/src/dotfiles/haskell is writable by someone else, IGNORING!
Prelude>
Leaving GHCi.

$ ls -l .ghci
lrwxr-xr-x  1 leroux  staff  44 Jul 30 10:02 .ghci -> /Users/leroux/.dotfiles/haskell/ghci.symlink

$ ls -l `readlink .ghci`
-rwxr-x---  1 leroux  staff  338 Sep 22 18:59 /Users/leroux/.dotfiles/haskell/ghci.symlink

$ ls -ld `dirname $(readlink .ghci)` # this is equivalent to `/home/dario/.dotfiles/dotfiles`
drwxr-x--x  4 leroux  staff  136 Aug  9 00:41 /Users/leroux/.dotfiles/haskell

# making the home of .ghci writable
$ chmod ugo+w `dirname $(readlink .ghci)`

$ ls -ld `dirname $(readlink .ghci)`
drwxrwx-wx  4 leroux  staff  136 Aug  9 00:41 /Users/leroux/.dotfiles/haskell

$ ghci
GHCi, version 7.6.3: http://www.haskell.org/ghc/  :? for help
Loading package ghc-prim ... linking ... done.
Loading package integer-gmp ... linking ... done.
Loading package base ... linking ... done.
*** WARNING: /Users/leroux/Dropbox/src/dotfiles/haskell is writable by someone else, IGNORING!

Note that /Users/leroux/.dotfiles/haskell is equivalent to /home/dario/.dotfiles/dotfiles as they are the directory where .ghci file lives.


berdario, it'd be helpful if you let us know what the directory permissions are (as rwbarton asked):

ls -ld `dirname $(readlink .ghci)

comment:6 Changed 19 months ago by leroux

I should also add that the proper fix is:

$ chmod go-w `dirname $(readlink .ghci)`

instead of

$ chmod 755 `dirname $(readlink .ghci)`

comment:7 Changed 19 months ago by berdario

Uhm, "writable by someone else" seems to include the group, even if the group "dario" doesn't include any user other than "dario" himself.

Why does ghci care about the permissions of the parent directory by the way? I just tried and it seems that on linux, having writing permissions for a directory isn't enough to move it away (and substitute it with a malicious one)
(fwiw: this is a linux box with hostname "macbook", not macosx... sorry for the confusion)

So, if for some reason (other unices?) we really need to check the permissions of the parent directory, the error message may mention it

Also, "someone else" is quite a fuzzy concept... "has to have write permission for only your user" might be better?

dario@macbook ~> ls -ld (dirname (readlink .ghci))
drwxrwxr-x 7 dario dario 4096 Sep 12 22:19 /home/dario/.dotfiles/dotfiles/

dario@macbook ~> ghci
GHCi, version 7.6.2: http://www.haskell.org/ghc/  :? for help
Loading package ghc-prim ... linking ... done.
Loading package integer-gmp ... linking ... done.
Loading package base ... linking ... done.
*** WARNING: /home/dario/.dotfiles/dotfiles is writable by someone else, IGNORING!
Prelude> 
Leaving GHCi.

dario@macbook ~> chmod g-w (dirname (readlink .ghci))

dario@macbook ~> ghci
GHCi, version 7.6.2: http://www.haskell.org/ghc/  :? for help
Loading package ghc-prim ... linking ... done.
Loading package integer-gmp ... linking ... done.
Loading package base ... linking ... done.
Prelude> 
Leaving GHCi.

Thank you

Version 0, edited 19 months ago by berdario (next)

comment:8 Changed 19 months ago by berdario

btw, ghci only checks the permissions of the parent directory, but if we want to check directory permissions it should be done recursively up to the root, doesn't it?

otherwise, someone who managed to get permissions for ~/.dotfiles/ but not ~/.dotfiles/dotfiles/ (or ~/ but not ~/.dotfiles/ ) might be able to move away the whole dotfiles directory

dario@macbook ~> ghci
GHCi, version 7.6.2: http://www.haskell.org/ghc/  :? for help
Loading package ghc-prim ... linking ... done.
Loading package integer-gmp ... linking ... done.
Loading package base ... linking ... done.
Prelude> 
Leaving GHCi.

dario@macbook ~> ls -l (readlink .ghci)
-rw-r--r-- 1 dario dario 10 Jul 14 15:25 /home/dario/.dotfiles/dotfiles/ghci.conf

dario@macbook ~> ls -ld (dirname (readlink .ghci))
drwxr-xr-x 7 dario dario 4096 Sep 24 12:22 /home/dario/.dotfiles/dotfiles/

dario@macbook ~> ls -ld (dirname (dirname (readlink .ghci)))
drwxrwxr-x 5 dario dario 4096 May 13 20:19 /home/dario/.dotfiles/

Or is this uninteresting, due to the fact that changing a whole directory is likely going to make errors happen the next time the user needs those files? (otoh: if they're readable, the attacker could just move away the directory and copy the old files, as to minimize the impact of the intrusion)

comment:9 Changed 19 months ago by leroux

It may be helpful to clarify what the problem is (as berdario mentioned).
I guess the clarification would be to append "<dir> should only be writable by the user (o+w)".

Note: See TracTickets for help on using tickets.