diff options
author | Robert Obryk <robryk@gmail.com> | 2022-11-05 00:09:32 +0100 |
---|---|---|
committer | Robert Obryk <robryk@gmail.com> | 2023-08-27 14:10:36 +0200 |
commit | 1bdbc0b0fedcb5fdcb60a88f9781e53d9b12d5c8 (patch) | |
tree | afd1736e0039985905b566acdef1e657ee7856f6 /nixos/tests/wrappers.nix | |
parent | 44fde723be696020dc4c78d5deae3501b6cb088f (diff) |
nixos/security/wrappers: stop using `.real` files
Before this change it was crucial that nonprivileged users are unable to create hardlinks to SUID wrappers, lest they be able to provide a different `.real` file alongside. That was ensured by not providing a location writable to them in the /run/wrappers tmpfs, (unless disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit own-path check in the wrapper. After this change, ensuring that property is no longer important, and the check is most likely redundant. The simplification of expectations of the wrapper will make it easier to remove some of the assertions in the wrapper (which currently cause the wrapper to fail in no_new_privs environments, instead of executing the target with non-elevated privileges). Note that wrappers had to be copied (not symlinked) into /run/wrappers due to the SUID/capability bits, and they couldn't be hard/softlinks of each other due to those bits potentially differing. Thus, this change doesn't increase the amount of memory used by /run/wrappers. This change removes part of the test that is obsoleted by the removal of `.real` files.
Diffstat (limited to 'nixos/tests/wrappers.nix')
-rw-r--r-- | nixos/tests/wrappers.nix | 7 |
1 files changed, 0 insertions, 7 deletions
diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix index 4c7a82f7dd005..fc32ed4102608 100644 --- a/nixos/tests/wrappers.nix +++ b/nixos/tests/wrappers.nix @@ -92,13 +92,6 @@ in machine.succeed(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_CHOWN')) machine.fail(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_SYS_ADMIN')) - # test a few "attacks" against which the wrapper protects itself - machine.succeed("cp /run/wrappers/bin/suid_root_busybox{,.real} /tmp/") - machine.fail(cmd_as_regular("/tmp/suid_root_busybox id -u")) - - machine.succeed("chmod u+s,a+w /run/wrappers/bin/suid_root_busybox") - machine.fail(cmd_as_regular("/run/wrappers/bin/suid_root_busybox id -u")) - # Test that the only user of apparmor policy includes generated by # wrappers works. Ideally this'd be located in a test for the module that # actually makes the apparmor policy for ping, but there's no convenient |