722705 – tclx does not chdir after chroot

Bug 722705 - tclx does not chdir after chroot

Summary: tclx does not chdir after chroot

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	tclx
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jaroslav Škarvada
QA Contact:	Anna Khaitovich
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1503821
TreeView+	depends on / blocked

Reported:	2011-07-16 20:13 UTC by Steve Grubb
Modified:	2017-12-06 11:55 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-06 11:55:27 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Patch attempting to fix the bug (632 bytes, patch) 2011-07-16 20:14 UTC, Steve Grubb	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Steve Grubb 2011-07-16 20:13:08 UTC

Description of problem:
The tclx extensions has a chroot command. Inspecting the code shows that it does not do a chdir("/") after calling chroot. This means that '.' is outside the chroot. See, unix/tclXunixCmds.c. 

Looking at the test scripts & documentation makes it unclear if the responsibility of doing the chdir is that of this command or if the programmer is expected to issue a chdir. If the library does it then there is no harm since a second chdir to / would have no effect. However, if the library does not do it and programmers assumed the library took care of it, then there could be apps that are not inside the chroot.

Additional info:
http://cwe.mitre.org/data/definitions/243.html

Comment 1 Steve Grubb 2011-07-16 20:14:19 UTC

Created attachment 513502 [details]
Patch attempting to fix the bug

Comment 3 Jaroslav Škarvada 2011-07-18 08:08:51 UTC

Steve thanks.

I think this behaviour is according to supplied TclX.n man:

> chroot dirname
> Change  root  directory  to  dirname,  by  invoking the POSIX
> chroot(2) system call.  This command only succeeds if running
> as root.

I understand it that it is only wrapper to POSIX chroot. And the behaviour (and jail escape problem) is described in chroot(2) man page.

I will consult this with upstream, they could at least note this explicitly in their doc.

Could we make it public? I would like to link this report to upstream tracker.

Comment 4 Steve Grubb 2011-07-18 12:02:02 UTC

Yes, I saw the same documentation and did not see a warning to the programmer about whether or not they need to issue a chdir or if this was already handled for them. I then looked at the unit tests supplied and noticed that none of them did a chdir, so I thought this must be the correct and intended use since there was unit tests. Based on that, I suspected that the library should do the chdir. Of course, there could be corrections to the unit test + docs so that the programmer knows the right actions after the chroot.

Comment 6 RHEL Program Management 2011-09-30 18:48:56 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 7 RHEL Program Management 2012-09-21 16:01:36 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 9 Tomáš Hozza 2017-10-13 14:28:24 UTC

Was there any outcome of the discussion with the upstream? What is the situation in the latest upstream version?

Comment 10 Jaroslav Škarvada 2017-10-13 14:41:03 UTC

(In reply to Tomáš Hozza from comment #9)
> Was there any outcome of the discussion with the upstream? What is the
> situation in the latest upstream version?

I didn't bring it upstream because it wasn't rated by SRT and I don't have private secure channel to upstream (to be honest the upstream seems to be dead, i.e. no release since 2012). Personally I don't think it's security related, but I can't it just put on public mailing list.

Comment 11 Steve Grubb 2017-10-18 12:10:05 UTC

This can be a security issue. See this:

https://cwe.mitre.org/data/definitions/243.html

Comment 12 Jaroslav Škarvada 2017-10-18 12:41:51 UTC

(In reply to Steve Grubb from comment #11)
> This can be a security issue. See this:
> 
> https://cwe.mitre.org/data/definitions/243.html

Thanks for info, I think I am not authorized to judge it. I sent mail to secalert to sort it out.

Comment 17 Jan Kurik 2017-12-06 11:55:27 UTC

Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/

Note You need to log in before you can comment on or make changes to this bug.