cookbook_file issue with symlink

Details

  • Type: Bug Bug
  • Status: Open Open
  • Priority: Critical Critical
  • Resolution: Unresolved
  • Affects Version/s: 0.10.4
  • Fix Version/s: None
  • Component/s: None
  • Labels:
    None

Description

I first filled CHEF-2747 but in the it might be very related.

there must be a missing test before doing the checksum of a file. i don't think the file is being tested as a symlink.
(haven't looked at the source yet tho)

anyway, here is the test, i first considered reporting this in private, in the end i'm not sure it's such a huge security issue.

cookbook_file "/tmp/BLA" do
  source "BLA"
  owner "root"
  group "www-data"
  mode "0770"
end
$ md5sum cookbooks/test1/files/default/BLA 
bac01d02e1d80e86fa2ae0d053f8d903  cookbooks/test1/files/default/BLA

on the node, before chef-client run:

$ ls -l /tmp/BLA /tmp/TEST
lrwxrwxrwx 1 root    root           4 2011-11-24 00:25 BLA -> TEST
-r--r--r-- 1 laurent laurent        4 2011-11-24 00:26 TEST

$ md5sum /tmp/BLA
bac01d02e1d80e86fa2ae0d053f8d903  /tmp/BLA

after chef-client run:

ls -l /tmp/BLA /tmp/TEST
lrwxrwxrwx 1 root    root           4 2011-11-24 00:25 BLA -> TEST
-rwxrwx--- 1 root    www-data       4 2011-11-24 00:26 TEST

BLA is unchanged, TEST's mode, owner and group are changed. oh oh looks like a symlink traversal issue !

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Laurent Désarmes added a comment - 
def new_resource_content_checksum
        @new_resource.content && Digest::SHA2.hexdigest(@new_resource.content)
      end

I knew it wasn't md5sum, any known vuln with sha256 ?

Show
Laurent Désarmes added a comment - def new_resource_content_checksum @new_resource.content && Digest::SHA2.hexdigest(@new_resource.content) end I knew it wasn't md5sum, any known vuln with sha256 ?
Hide
Permalink
Laurent Désarmes added a comment - 
$ grep link /var/lib/gems/1.8/gems/chef-0.10.4/lib/chef/provider/file.rb 
            backup unless ::File.symlink?(@new_resource.path)

questions (some are not really related to this ticket):

  • if the file exists and is a symlink, should it be removed ?
  • what it you put a symlink as a source of a cookbook_file ?
  • should the link and file RP be merged ?
  • why can't we have "broken" symlinks in cookbooks ?
  • CHEF-2389 & CHEF-2747
Show
Laurent Désarmes added a comment - $ grep link / var /lib/gems/1.8/gems/chef-0.10.4/lib/chef/provider/file.rb backup unless ::File.symlink?(@new_resource.path) questions (some are not really related to this ticket): if the file exists and is a symlink, should it be removed ? what it you put a symlink as a source of a cookbook_file ? should the link and file RP be merged ? why can't we have "broken" symlinks in cookbooks ? CHEF-2389 & CHEF-2747
Hide
Permalink
Matthew Kent added a comment -

Yikes, this could cause someone some pain.

+1 here for treating symlinks like normal files and doing the following:

1) specific log output indicating it's a symlink
2) backing up the symlink
3) removing it
4) replacing it with the cookbook file

Couldn't see anything worse here than the normal behavior of
cookbook_file in replacing data.

Show
Matthew Kent added a comment - Yikes, this could cause someone some pain. +1 here for treating symlinks like normal files and doing the following: 1) specific log output indicating it's a symlink 2) backing up the symlink 3) removing it 4) replacing it with the cookbook file Couldn't see anything worse here than the normal behavior of cookbook_file in replacing data.

People

  • Assignee:
    Unassigned
    Reporter:
    Laurent Désarmes
Vote (1)
Watch (2)

Dates

  • Created:
    Updated: