Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add hardening measures on untar #49

Merged
merged 1 commit into from
Nov 26, 2024
Merged

Conversation

grembo
Copy link
Contributor

@grembo grembo commented Nov 23, 2024

This adds hardening measures while untaring archives fetched over the network (including FreeBSD tarballs and iocage plugins), as implemented by TrueNAS, see:
truenas/iocage#358

This reduces the impact of intentionally malicious or accidentally broken archives.

Please note that users are still advised to only fetch from trusted sources and make use of TLS to prevent MITM attacks.

Make sure to follow and check these boxes before submitting a PR! Thank you.

This adds hardening measures while untaring archives fetched
over the network (including FreeBSD tarballs and iocage plugins),
as implemented by TrueNAS, see:
truenas/iocage#358

This reduces the impact of intentionally malicious or accidentally
broken archives.

Please note that users are still advised to only fetch from
trusted sources and make use of TLS to prevent MITM attacks.
@coveralls
Copy link

coveralls commented Nov 23, 2024

Pull Request Test Coverage Report for Build 11989389854

Details

  • 1 of 4 (25.0%) changed or added relevant lines in 2 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.008%) to 7.748%

Changes Missing Coverage Covered Lines Changed/Added Lines %
iocage_lib/ioc_plugin.py 1 2 50.0%
iocage_lib/ioc_fetch.py 0 2 0.0%
Totals Coverage Status
Change from base Build 11334365279: 0.008%
Covered Lines: 799
Relevant Lines: 7804

💛 - Coveralls

@dgeo
Copy link
Contributor

dgeo commented Nov 26, 2024

Thank you !

@dgeo dgeo merged commit 8f580fa into freebsd:master Nov 26, 2024
2 checks passed
@dgeo dgeo added this to the 1.9 milestone Nov 26, 2024
@dgeo dgeo self-assigned this Nov 26, 2024
dgeo pushed a commit to criecm/iocage that referenced this pull request Nov 29, 2024
This adds hardening measures while untaring archives fetched
over the network (including FreeBSD tarballs and iocage plugins),
as implemented by TrueNAS, see:
truenas/iocage#358

This reduces the impact of intentionally malicious or accidentally
broken archives.

Please note that users are still advised to only fetch from
trusted sources and make use of TLS to prevent MITM attacks.
grembo added a commit to grembo/iocage that referenced this pull request Dec 8, 2024
In freebsd#49 a hardening measure was imported from
truenas/iocage#358. This hardening measure limits what
can be extracted (location and attributes). It is implemented by
applying the 'tar' filter from tarfile. That filter does this[0]:

- Strip leading slashes (/ and os.sep) from filenames.
- Refuse to extract files with absolute paths (in case the name is
  absolute even after stripping slashes, e.g. C:/foo on Windows). This
  raises AbsolutePathError.
- Refuse to extract files whose absolute path (after following symlinks)
  would end up outside the destination. This raises
  OutsideDestinationError.
- Clear high mode bits (setuid, setgid, sticky) and group/other write
  bits (S_IWGRP | S_IWOTH).

While the first three modifications are desirable, the last one
damages the extracted release image, as things like sticky bits and
world writable files are required by a proper FreeBSD (jail)
installation.

Fixes freebsd#54

[0]https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter
dgeo pushed a commit that referenced this pull request Dec 9, 2024
In #49 a hardening measure was imported from
truenas/iocage#358. This hardening measure limits what
can be extracted (location and attributes). It is implemented by
applying the 'tar' filter from tarfile. That filter does this[0]:

- Strip leading slashes (/ and os.sep) from filenames.
- Refuse to extract files with absolute paths (in case the name is
  absolute even after stripping slashes, e.g. C:/foo on Windows). This
  raises AbsolutePathError.
- Refuse to extract files whose absolute path (after following symlinks)
  would end up outside the destination. This raises
  OutsideDestinationError.
- Clear high mode bits (setuid, setgid, sticky) and group/other write
  bits (S_IWGRP | S_IWOTH).

While the first three modifications are desirable, the last one
damages the extracted release image, as things like sticky bits and
world writable files are required by a proper FreeBSD (jail)
installation.

Fixes #54

[0]https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants