CVE-2022-25328: Metadata validation and other security improvements by ebiggers · Pull Request #346 · google/fscrypt

Following the example of /proc/self/mountinfo, replace the space, newline, tab, and backslash characters with octal escape sequences so that the output can be parsed unambiguously.

Mountpoint paths might be untrusted arbitrary strings; the fscrypt bash completion script might need to complete to such strings. Unfortunately, the design of bash completion places some major footguns in the way of doing this correctly and securely:

• “compgen -W” expands anything passed to it, so the argument to -W must be single-quoted to avoid an extra level of expansion.

• The backslashes needed to escape meta-characters in the completed text aren’t added automatically; they must be explicitly added.

Note that the completion script for ‘umount’ used to have these same bugs (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179, util-linux/util-linux#539).

Fix these bugs in roughly the same way that ‘umount’ fixed them.

Don’t allow reading metadata files that are very large, as they can crash the program due to the memory required. Similarly, don’t allow reading metadata files that aren’t regular files, such as FIFOs, or symlinks (which could point to a device node like /dev/zero), as that can hang the program. Both issues were particularly problematic for pam_fscrypt, as they could prevent users from being able to log in.

Note: these checks are arguably unneeded if we strictly check the file ownership too, which a later commit will do. But there’s no reason not to do these basic checks too.

If a login protector contains a UID that differs from the file owner (and the file owner is not root), it might be a spoofed file that was created maliciously, so make sure to consider such files to be invalid.

To allow users to update fscrypt metadata they own in single-user-writable metadata directories (introduced by the next commit), fall back to non-atomic overwrites when atomic ones can’t be done due to not having write access to the directory.

World-writable directories are not appropriate for some systems, so offer a choice of single-user-writable and world-writable modes, with single-user-writable being the default. Add a new documentation section to help users decide which one to use.

The metadata validation checks introduced by the previous commits are good, but to reduce the attack surface it would be much better to avoid reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata files, but I think that for the vast majority of users it is unneeded and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt) not process policies or protectors owned by other users by default. Specifically,

* If fscrypt or pam_fscrypt is running as a non-root user, only policies and protectors owned by the user or by root can be used.

* If fscrypt is running as root, any policy or protector can be used. (This is to match user expectations – starting a sudo session should gain rights, not remove rights.)

* If pam_fscrypt is running as root, only policies and protectors owned by root can be used. Note that this only applies when the root user themselves has an fscrypt login protector, which is rare.

Add an option ‘allow_cross_user_metadata’ to /etc/fscrypt.conf which allows restoring the old behavior for anyone who really needs it.

A previous commit extended file ownership validation to policy and protector files (by default – there’s an opt-out in /etc/fscrypt.conf).

However, that didn’t apply to the parent directories:

MOUNTPOINT
MOUNTPOINT/.fscrypt
MOUNTPOINT/.fscrypt/policies
MOUNTPOINT/.fscrypt/protectors

The problem is that if the parent directories aren’t trusted (owned by another non-root user), then untrusted changes to their contents can be made at any time, including the introduction of symlinks and so on.

While it’s debatable how much of a problem this really is, given the other validations that are done, it seems to be appropriate to validate the parent directories too.

Therefore, this commit applies the same ownership validations to the above four directories as are done on the metadata files themselves.

In addition, it is validated that none of these directories are symlinks except for “.fscrypt” where this is explicitly supported.

Since commit 4c7c663 (“Set owner of login protectors to correct user”), login protectors are made owned by the user when root creates one on a user’s behalf. That’s good, but the same isn’t true of other files that get created at the same time:

• The policy protecting the directory
• The protector link file, if the policy is on a different filesystem
• The recovery protector, if the policy is on a different filesystem
• The recovery instructions file

In preparation for setting all metadata files to mode 0600, start making all these files owned by the user in this scenario as well.

Since fscrypt replaces metadata files rather than overwrites them (to get atomicity), their owner will change to root if root makes a change. That isn’t too much of an issue when the files have mode 0644. However, it will become a much bigger issue when the files have mode 0600, especially because existing files with mode 0644 would also get changed to have mode 0600.

In preparation for this, start preserving the previous owner and mode of policy and protector files when they are updated.

Currently, fscrypt policies and protectors are world readable, as they are created with mode 0644. While this can be nice for use cases where users share these files, those use cases seem to be quite rare, and it’s not a great default security-wise since it exposes password hashes to all users. While fscrypt uses a very strong password hash algorithm, it would still be best to follow the lead of /etc/shadow and keep this information non-world-readable.

Therefore, start creating these files with mode 0600.

Of course, if users do actually want to share these files, they have the option of simply chmod’ing them to a less restrictive mode. An option could also be added to make fscrypt use the old mode 0644; however, the need for that is currently unclear.

If the error is anything other than ErrNotSetup, it might be helpful to know what is going on.

pam_fscrypt should never need to do anything for system users, so detect them early so that we can avoid wasting any resources looking for their login protector.