Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make visudo into a forbid(unsafe_code) module. #859

Open
squell opened this issue Sep 2, 2024 · 12 comments
Open

Make visudo into a forbid(unsafe_code) module. #859

squell opened this issue Sep 2, 2024 · 12 comments
Labels

Comments

@squell
Copy link
Member

squell commented Sep 2, 2024

visudo uses unsafe code at two spots n the fn create_temporary_dir. While visudo isn't part of the security critical boundary, it would be nice to remove them (or move them into the system module).

@dd-dreams
Copy link
Contributor

Is https://docs.rs/tempfile/latest/tempfile/fn.tempdir.html a good replacement? It's a small crate.
Otherwise, we could move the function to system module, or we can remove unsafe completely by just implementing a temporary directory pretty easily using env::temp_dir and creating a struct with custom drop.

@pvdrz
Copy link
Collaborator

pvdrz commented Sep 16, 2024

I'd lean to use an std function instead (I"m not sure if https://doc.rust-lang.org/std/env/fn.temp_dir.html does what we want). Adding a dependency that has unsafe code for a single function feels like putting the issue under the rug.

@dd-dreams
Copy link
Contributor

I have mis-copied before, I meant the link above I provided. You can use a std function, though I didn't find a way to use mkdtemp in std lib. You can create a temp dir manually.

@pvdrz
Copy link
Collaborator

pvdrz commented Sep 19, 2024

yeah we would have to come up with a random name for the directory ourselves and I'm not sure what would be the proper requirements for that. Maybe we could "just" move the mktemp wrapper to sudo and expose it so visudo can use it 🤔

@squell
Copy link
Member Author

squell commented Oct 7, 2024

I agree that just incorporating an extra dependency that uses the same kind of code would just be "sweeping it under the rug". One easy way would be to move it to system. Or we could investigate if fn.temp_dir suffices (but probably it doesn't or we would have already used that?)

@pvdrz
Copy link
Collaborator

pvdrz commented Oct 17, 2024

the issue with temp_dir is that it gives us the path to the temporary directory (/tmp/ in linux) but mktemp creates one random directory under the temporary directory.

So we could, in principle, call temp_dir and then mkdir a new directory with a random name under the temporary directory, but it could be a possible source of vulns.

I think moving this wrapper to system is the best solution.

@dd-dreams
Copy link
Contributor

temp_dir could suffice also because I'm not seeing any real danger implementing it ourselves, but moving it to system is also a good solution.

@pvdrz
Copy link
Collaborator

pvdrz commented Nov 14, 2024

The advantage of just moving it to system is that we have the peace of mind that sudo has been using the same function
without issues for years.

@dd-dreams
Copy link
Contributor

Don't think its a good argument, but it's up to the maintainer.

@pvdrz
Copy link
Collaborator

pvdrz commented Nov 14, 2024

why?

@dd-dreams
Copy link
Contributor

Just because sudo uses the same function doesn’t mean it’s completely safe. Many parts of sudo have been around for years, but there’s a good chance they still have some issues (no program is perfect).

But I also don't see any potential issue moving it to system :)

@pvdrz
Copy link
Collaborator

pvdrz commented Nov 15, 2024

Yes, I agree that using the same function as sudo is no guarantee of absolute safety. But sharing that function means that if either of us gets a vulnerability related with it, the other will be automatically covered once glibc (or your library of choice) is patched.

On the other hand, if sudo gets a vulnerability report for this function and we decided to roll our own, now we have to check if it affect us and figure out how to port the fix ourselves.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants