Create private .ssh and .gnupg directories prior to merge (during clone)

[TheLocehiliosan]

As referenced in Debian #868300, permissions on .ssh and .gnupg directories are restricted after an initial clone is complete. Git employs the user's umask to set permissions for any files/directories created.

If .ssh or .gnupg directories already exist with restricted permissions prior to cloning, the permissions will not be changed. Git only affects the permissions of directories that do not already exist. In practice this race condition does not pose a problem assuming the encryption feature is used for confidential data.

For example, suppose a user wants to manage a .ssh/config and .ssh/id_rsa. Also suppose the .ssh/config is limited configuration data only, and the .ssh/id_rsa is their private key. If .ssh/id_rsa is included using the encryption function the following scenarios are possible:

• If .ssh already exists and is secured

  • During the clone .ssh permissions are not changed (remain secure)

• If .ssh does not yet exist

  • During the clone .ssh and .ssh/config will be created with the default umask
  • (at this point no private data is exposed)
  • After the clone permissions are restricted
  • yadm decrypt is run (either by the user or via bootstrap) and the .ssh/id_rsa is put into the .ssh. .ssh's permissions will already be restricted at this point

Regardless, I plan to update clone operations. If there are files tracked in the repo under locations .ssh or .gnupg and those paths do not yet exist (an initial clone), I will create empty directories and secure them first. This should mitigate any concerns about a race condition. However, I don't think there is any effective problem as it stands today.

[TheLocehiliosan]

@danielshahaf - I think you reported this Debian bug report. If you want to take a look at my comments above, I'm not sure if grave is the most appropriate severity level. I would be interested if you had any feedback on my comments, and planned changes. Thanks!

[danielshahaf]

@TheLocehiliosan Yes, it was I.

Regarding the fix, the important thing is to have no window in which the directory exists and is world readable. I suggest mkdir -m700 or (umask 077 && mkdir).

I agree that the severity isn't clear cut here. A successful exploit requires several planets to align. (And for that matter, the exploitability of "dir is created 0755, chmod'd 0700, and then a secret file is created in it" may differ between linux and kFreeBSD...) To cut a long story short, feel free to adjust the severity as you see fit. :-)

Thanks for the timely response.

[TheLocehiliosan]

Thanks for the feedback. I'll push ahead with these planned changes in about a week when I'll have time to focus on yadm again.

[danielshahaf]

As noted downstream, this issue has been assigned the identifier CVE-2017-11353.

[TheLocehiliosan]

@danielshahaf @czchen - I've published a change to the dev branch. Can you confirm this resolves your concerns?

[czchen]

looks good for me

[danielshahaf]

The code does mkdir foo; chmod foo. Suppose an attacker does opendir("foo") before the chmod, will he be able to use openat(3) after the chmod?

I don't know the answer, but using mkdir -m or umask instead would resolve this concern.

Also I suggest to mention the CVE number in the log message.

[TheLocehiliosan]

@danielshahaf Yes, you are absolutely right with the mkdir -m. That thought got lost when I was handling the case where a private directory already exists. I've fixed that and pushed an update to the dev branch, and the commit messages also mentions the CVE number. How does it look to you now?

[danielshahaf]

I wouldn't chmod the directory if it already exists. I'd either just use it and trust the user to have created it correctly, or alternatively check its permissions and bail out if they are too open to my liking.

[TheLocehiliosan]

@danielshahaf Sure. I actually want to do the least amount of changes that address the concerns you've brought up. I've pushed another change to the dev branch. Would you be so kind as to confirm this addresses your concerns? I want to be sure before doing a release. Thanks.

[danielshahaf]

@TheLocehiliosan Sure, that makes sense. The mkdir looks secure now.

What I have not reviewed is 1) the new test, 2) whether any other codepaths need patching (there is a git pull codepath other than clone, isn't there?), 3) whether $YADM_WORK exists at the time of the mkdir (if it doesn't, it'd be created with mode 0700, instead of with the umask-default permissions in current master).

[TheLocehiliosan]

Regarding other code paths, aside from clone, all work-tree operations are done by Git directly.

Regarding $YADM_WORK being created as 0700, I'm fairly sure that the standard operation of mkdir with -p and -m combined, is to apply the specified mask for the last directory only, and parent directories will get their access mode from umask (if they need to be created).

Thanks

[danielshahaf]

Regarding other code paths, aside from clone, all work-tree operations are done by Git directly.

So if a git pull creates a .ssh dir, that dir would be created with the default permissions, wouldn't it?

[TheLocehiliosan]

Yes that is correct. However, as soon as the Git operation is complete, the permissions are asserted by yadm. It is probably possible to test if the repo tracks data in .ssh prior to a merge (as is done during the `yadm clone` now, but in the case of a pull, Git does a fetch and merge in a single operation. I'm not sure of a reasonable method to determine prior to a pull if the commits present in the remote repo contain data from .ssh when there previously wasn't. Even if I were to query the remote repo prior to allowing a pull, there is the possibility that a new commit shows up between the query and the pull. I'm very open to some suggestion though. It's possible to ALWAYS create these directories prior to any commands (on the chance that data in those directories is tracked), but that seems rather heavy-handed to me. But perhaps that is a way to allay concerns. Again, no one should maintain private data in .ssh within the repo itself. If anyone does that, their data is also exposed in their repo. Any private data should be handled using the encrypt/decrypt features. I think providing individuals use tools sensibly, that it is possible that configuration data is momentarily readable prior being secured, but that private data is not exposed.

[TheLocehiliosan]

After thinking a bit more about it, perhaps it is easiest to always create the directories prior to Git operations. To remove the heavy-handedness I'll have that only apply to Git commands that change the work-tree, and I'll create an option that allows users to disable it if they don't want that feature. However the directory creation during clone (if the repo tracks data in these directories) will continue to operate as it does in the dev branch now.

@danielshahaf does that plan sound satisfactory to you?

[TheLocehiliosan]

@danielshahaf - Any further thoughts on the latest version of the dev branch? I just want to be sure I'm fully addressing your concerns before I publish a release.

[danielshahaf]

@TheLocehiliosan Sorry, no time to review the new diff right now :(