Open GregorKopka opened 1 year ago
This issue has been automatically marked as "stale" because it has not had any activity for a while. It will be closed in 90 days if no further activity occurs. Thank you for your contributions.
This instant system compromise available to everyone allowed to import a pool is still possible.
altroot was never expected to help with that. Its purpose is merely to not mount file systems of imported pool on top of anything existing. I am not sure what you are asking is actually possible or reasonable to implement at file system level.
I disagree strongly, asaltroot
is advertised as
Alternate root directory. If set, this directory is prepended to any mount points within the pool. This can be used when examining an unknown pool where the mount points cannot be trusted, or in an alternate boot environment, where the typical paths are not valid.
It is expected to help with exactly that, as it is the sole function of this feature.
This path traversal bug is a security vulnerability with a CVS Score of 6.4
@behlendorf and @ahrens, please take a look at this security issue.
Ah. Sorry, for some reason I thought you are talking about symlinks and their used by applications. Use of ".." in mountpoint properties seems weird. I never saw it in a wild. I am not even sure what behavior would be considered proper here.
May be just fail to mount it with altroot. Seem like a minimal isolated fix. Alternatively, outlaw '..' in mountpoint properties and reject the receive which can be pretty scary.
Alternatively, outlaw '..' in mountpoint properties [...]
or through https://github.com/openzfs/zfs/issues/12997#issuecomment-1248291866, which would also remove another security issue with zfs allow mountpoint
(and possibly also the circumvention of the linux limitations regarding mounting of filesystems through sudoers entries that start withzfs set mountpoint=./
and zfs mount x/
(with x being the base dataset assigned to the user)).
System information
OpenZFS Version | any
Describe the problem you're observing
Path traversal allows escaping altroot specified on zpool import
Describe how to reproduce the problem
Include any warning/errors/backtraces from the system logs
None.