-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding less idiomatic, but more accurate wrappers? #25
Comments
Yes. Except I'm not sure I have a lot of time to collaborate on this. Also, I want to keep functionality cross-platform where possible. This is a reason it does not expose specific flags. A couple of points more:
The issue with this is that I often use And yes, security against some attacks were also in mind when designing the library. There are a couple of things to keep in mind when using the library though (like always using a single component in path). I agree the documentation should be improved. The simplest way to expose all the functionality is to have |
That's okay, I can look into it and throw patches over the wall.
Ah, okay -- I do vaguely recall that some other Unices have
It doesn't necessarily require capabilities -- you're probably thinking of In fact, I think the only example of
I guess my point was that the actual
Ah okay, it might be the case that this should be documented better.
I completely missed this, sorry about that.
Fair enough (though
Since we only care about However, there is a security counter-argument -- an open
All of that being said, there's no need to do this right now -- I just wanted to mention it as something you might find interesting to look into. Or we could just get users to provide a handle explicitly as you suggested.
That's great to hear. As an aside (in case you're interested) I'm currently posting patches for
Yeah this seems like a good idea (though maybe we should pass |
The cross-platform aspect is tricky. I feel like since the Rust libstd covers a fully cross-platform API for generic filesystem stuff, our role here should be to expose more operating-system specific features. It's clear we want a standard crate that has the low-level wrappers. And probably large chunks of that is going to be That said, on the flip side even Rust libstd should probably be using BTW, another random note on the API topic; this crate hardcoding |
Rust stdlib doesn't provide same level of security (preventing symlink attacks, and similar things). On the other hand if we just reexport libc wrappers over It often not clear how to combine all that flags and open modes in linux kernel to make simple file management tool. And the idea to make a lot of safe use cases easier and obvious to write. |
OK a year later...I was looking at this again because I'd like to make use of (A huge trap with |
So I think what I want is just the code from https://github.com/openSUSE/libpathrs/blob/ad7e8c2ebccdcd6dbb682bb3cec31650ab1c55e1/src/syscalls.rs#L664 in this library - in this case I'd be fine with a "use if available" semantics, otherwise fall back to a regular |
I'm bringing this up because of a discussion with @cgwalters about this crate (see openSUSE/libpathrs#1).
libpathrs
is a library which helps correctly handle path resolution in the face of potential attackers. To this end, I make use of a lot of different*at
syscalls -- but because it is a security-sensitive project I am very wary of how Rust crates use different syscalls (to the point where I audited the key methods in the Rust standard library I used, to ensure they did the right thing -- see rust-lang/rust#62425).@cgwalters asked me whether I could use this library for
libpathrs
in order to help consolidate Rust*at
-using programs to make use of a single library. I took a look, and unfortunately several aspects of the current API concern me a little bit (at least, for the use-case I have). There are three main problems I saw:The API is designed around a
Dir
object, with everything being a method of such an object. This is probably the most obvious way of doing it, given how all of the*at(2)
documentation is written -- but it's not the most useful.AT_EMPTY_PATH
(or various other/proc/self/fd
tricks) allows you to operate on non-directories, and there are many use-cases for wanting to do that. Another example of this problem is that therenameat2
wrappers can only be used to a rename between two paths with the sameDir
-- this is simply not useable for my usecase withlibpathrs
(I must be able to do all*at(2)
operations without any/
s in the paths, because that leads to serious attack vectors -- and so I need to use two differentDir
s).The flags for all the
*at(2)
syscalls are not exposed by this crate. While this might make the API much simpler, it seriously restricts the usability of the*at(2)
wrappers provided -- as a simple example, if you cannot explicitly specifyO_NOFOLLOW
or the non-openat(2)
equivalent then you simply cannot be secure against certain attacks (in thelibpathrs
usecase). To be fair, I do agree with your splitting of the functionality ofrenameat2(2)
-- it does three different things (though you didn't exposeRENAME_NOREPLACE
). Not to mention the lack ofO_PATH
support -- which is ridiculously critical forlibpathrs
(the entire library depends on very specific semantics thatO_PATH
file descriptors provide).While there is some documentation for the methods, I would love to have much more detailed documentation about the security properties (even something as basic as showing what syscalls are called by a given method). For security-critical projects i
My main question is, would you be interested in working together to create an API that can accommodate my requirements while also providing more idiomatic helper wrappers that less-insane users can make use of? Currently
libpathrs
has its own wrappers (which I trust and understand because I wrote them), but it makes little sense for every project to write their own wrappers for a dozen syscalls.There is also some hardening work within
libpathrs
(such as getting a handle to/proc
when the library is first loaded, checking that it really is procfs and then using it for all/proc
-related shenanigans). It would be nice if things like that were put into this project as well.Thanks.
The text was updated successfully, but these errors were encountered: