Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <yPOEyvOUfuKsklWzFpBdmDaFvVBey86L51kH7CwV-FzPfbHqBtd-TjZDy4CzpGRPcSnI0SG6ASuvbVrziaGJa9hpTLR9tPWf22iAD4CPVOI=@hexsys.org>
Date: Tue, 12 Nov 2024 17:31:32 +0000
From: Ali Polatel <alip@...sys.org>
To: oss-security@...ts.openwall.com
Subject: Re: shell wildcard expansion (un)safety

On Wednesday, November 6th, 2024 at 15:44, David A. Wheeler <dwheeler@...eeler.com> wrote:

> Long ago I wrong a really long essay about POSIX filename issues.
> Some people here may find it interesting:
> https://dwheeler.com/essays/fixing-unix-linux-filenames.html

Thank you. Around six months ago I added a restriction on filenames with
control characters to Sydbox[1] after I had read about a vulnerability
here on this list. I think it was about tar but my memory may not serve
me right. Sydbox is secure by default, so at first this feature was
enabled without any way to turn it off. After a few months of testing
with fellow Exherbo Linux developers, we have noticed some package tests
(nvim was one of them) actually rely on creating paths with control characters as
part of their test suites, so I added a setting to disable this feature
which was set by our package manager.

Having read your article, and three versions of your Safename LSM
patch-sets, and having felt immensely thankful and enlightened for a
while, I have proceeded to replace the control characters restrictions
above with an implementation that is very similar to yours. A
possibly incomplete list of what Sydbox does different is:
1. Existing bad files are hidden.
2. Tilde prefix is forbidden, I have noticed you have dropped this in
your third version with reasons irrelevant to Sydbox.
3. "$" and "`" characters are forbidden. 


Finally, I am sharing the relevant part of the syd(7)[2] manual page
as food for thought. Note, 3.28.0 has not been released at the time
of writing so this is also in part a request for feedback :). You may
find the code changes here[3]. Sydbox is GPL-3.0-or-later and Safename
LSM is GPL-2.0 so I have taken the liberty to rewrite most of the main
logic from C to Rust and added unit tests. The file src/path.rs includes
an attribution to you and your work in the copyright header. Thank you!

--8<--
## Enhanced Path Integrity Measures

As of version 3.17.4, Syd incorporates crucial enhancements to maintain
the integrity of file system paths by systematically denying and masking
paths that contain control characters. These modifications are essential
for preventing the exploitation of terminal-based vulnerabilities and
for maintaining robustness in logging activities. Paths identified with
control characters are not only denied during sandbox access check but
are also sanitized when logged to ensure that potentially harmful data
does not compromise log integrity or facilitate inadvertent security
breaches. Such measures underscore Syd's ongoing commitment to
fortifying security by adhering to rigorous, up-to-date standards for
handling untrusted input efficiently.

As of version 3.18.6, this restriction can be relaxed by using the
setting "trace/allow_unsafe_filename:1". This setting may be toggled
from within the sandbox during runtime prior to locking the sandbox.

As of version 3.28.0, Syd has enhanced its path integrity measures by
incorporating an implementation based on David A. Wheeler's Safename
Linux Security Module (LSM) patches. This update not only prevents the
creation of filenames containing potentially harmful characters but also
hides existing files with such names. Invalid filenames are now denied
with an "EINVAL" error when necessary. In alignment with Wheeler's
recommendations on restricting dangerous filenames, the validation now
enforces stricter rules:

- *Control Characters*: Filenames containing control characters (bytes 0x00–0x1F and 0x7F) are denied.
- *UTF-8 Encoding*: Filenames must be valid UTF-8 sequences.
- *Forbidden Characters*: The following characters are disallowed in
  filenames as they may interfere with shell operations or be
  misinterpreted by programs: \*, ?, :, [, ], ", <, >, |, (, ), {, }, &, ',
  !, \\, ;, $, and `.
- *Leading Characters*: Filenames cannot start with a space ( ), dash (-), or tilde (~).
- *Trailing Characters*: Filenames cannot end with a space ( ).

These measures mitigate security risks associated with malicious
filenames by ensuring that both new and existing filenames adhere to
stringent validation rules. This enhancement strengthens overall system
robustness by preventing potential exploitation through untrusted input
in file operations. For more information, refer to the following links:

- https://dwheeler.com/essays/fixing-unix-linux-filenames.html
- https://lwn.net/Articles/686021/
- https://lwn.net/Articles/686789/
- https://lwn.net/Articles/686792/
-->8--

[1]: https://sydbox.exherbolinux.org
[2]: http://man.exherbolinux.org/syd.7.html#Enhanced_Path_Integrity_Measures
[3]: https://gitlab.exherbo.org/sydbox/sydbox/-/compare/7a6cc9b9cddc5d074d6f72b2b1a3f9aef065fed6...50fb41f21c1ce7e9556c778707a731d1a56e152c

> 

> --- David A. Wheeler

Best regards,
Ali Polatel
Download attachment "publickey - alip@...sys.org - 0xC22DA9DE.asc" of type "application/pgp-keys" (637 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (250 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.