Babone ubuthathaka kwi-firejail evumela ukufikelela kweengcambu kwinkqubo

Basanda kukhupha iindaba ukuba kuchongwe ubungozi (sele zidweliswe phantsi kwe-CVE-2022-31214) kwisixhobo sesanti se-Firejail app, icacisiwe ukuba isiphene esibhaqiweyo sinokuvumela umsebenzisi wasekhaya ukuba abe yingcambu kwindlela yokusingatha.

I-Firejail isebenzisa indlela yezithuba zegama, i-AppArmor, kunye nenkqubo yokucofa umnxeba (seccomp-bpf) kwi-Linux ukuze ibekwe yodwa, kodwa ifuna amalungelo aphakamileyo okumisela ukhupho olukwahlukileyo, olufumana ngokubophelela kusetyenziso lweflegi yengcambu ye-suid okanye isebenze nge-sudo.

Ukuba sesichengeni kungenxa yempazamo kwingqiqo yokhetho "-join=" », yenzelwe ukudibanisa kwindawo ezimeleyo esele iqhutywa (ifana nomyalelo wokungena kwindawo yebhokisi yesanti) nendawo-bume echazwe yi-ID yenkqubo esebenzayo kuyo. Kwinqanaba langaphambi kokuqaliswa, i-firejail ibona amalungelo enkqubo ekhankanyiweyo kwaye iwasebenzise kwinkqubo entsha edibanisa imo engqongileyo ngokhetho "-join".

Ngaphambi kokudibanisa, ijonga ukuba inkqubo ekhankanyiweyo iyasebenza kwindawo ye-firejail. Olu qwalaselo luvavanya ubukho befayile /run/firejail/mnt/join. Ukuxhaphaza ukuba sesichengeni, umhlaseli unokulinganisa indawo ye-fictitious engekho yodwa ye-firejail usebenzisa intaba yesithuba kwaye emva koko uqhagamshela kuyo usebenzisa "--join" ukhetho.

Ukuba uqwalaselo aluyenzi indlela yokuthintela ukufumana amalungelo awongezelelweyo kwiinkqubo ezintsha (prctl NO_NEW_PRIVS), i-firejail iya kudibanisa umsebenzisi kwindawo eyinkohliso kwaye izame ukusebenzisa uqwalaselo lwendawo yegama lomsebenzisi yezazisi zomsebenzisi (umsebenzisi wendawo yegama) yenkqubo ye-init ( PID 1).

Uninzi lwengqiqo emva komsebenzi wokudibanisa kwikhowudi yomthombo ukusuka kwi `src/firejail/join.c` ifayile. Amacandelo abalulekileyo ekhowudi aphunyezwa nge amalungelo aphezulu (i-UID esebenzayo 0). I-ID yenkqubo ipasiswe njengomyalelo ingxoxo yomgca ihlolwe ukufumanisa ukuba ngaba i-risikhongozeli kwaye umisele ezinye iimpawu zayo ukuba Isebenza nakwinkqubo entsha yokungena.

Iikhrayitheriya eziphambili zokuthatha isigqibo sokujoyina inkqubo ekujoliswe kuyo impumelelo bubukho befayile kwindawo yegama yethagethi, inkqubo efunyenwe kwi/run/firejail/mnt/join. Olu qinisekiso lwenziwa kwi-f`u_ulungele_ukudibanisa_()` umsebenzi. Ifayile ivulwa kusetyenziswa lIiflegi `O_RDONLY|O_CLOEXEC` kunye nomkhondo `fstat()` iziphumo kufuneka ukuhlangabezana nezi mfuno zilandelayo:

– ifayile kufuneka ibe yifayile eqhelekileyo.
– ifayile kufuneka ibe yeyomsebenzisi ongu-0 (njengoko kubonwa kumsebenzisi wokuqala
indawo yamagama).
- ifayile kufuneka ibe yi-1 byte ngobukhulu.

Nje ngeziphumo, inkqubo eqhagamshelwe nge "firejail --join" iyakuphelela kwindawo yamagama Isazisi soqobo somsebenzisi ngamalungelo angatshintshanga, kodwa kwindawo eyahlukileyo yentaba, elawulwa ngokupheleleyo ngumhlaseli.

Iqokobhe "elidityanisiweyo" elinesiphumo liya kuhlala kumsebenzisi wokuqala
indawo yegama, isagcina amalungelo akhethekileyo omsebenzisi aqhelekileyo, nangona kunjalo indawo yegama yokunyuka iya kuba yile ilawulwa ngumhlaseli. Njengoko
uqwalaselo lwe-nonewprivs alukhange lusetyenziswe, umhlaseli unako ngoku
sebenzisa iinkqubo zengcambu-zengcambu ngaphakathi kwesi sithuba segama sentaba

Ngokukodwa, umhlaseli angenza iinkqubo ze-setuid-root kwindawo yendawo yentaba eyenzileyo, eyivumela ukuba, umzekelo, itshintshe /etc/sudoers uqwalaselo okanye PAM parameters kuluhlu lwefayile yayo kwaye ufumane amandla okuqhuba imiyalelo njengengcambu. usebenzisa i-sudo okanye izixhobo zayo.

Ekugqibeleni, kuyafaneleka ukukhankanya ukuba ukuxhaphaza okusebenzayo kuye kwaphuhliswa, kuvavanywa kwiinguqulelo zangoku ze-openSUSE, i-Debian, i-Arch, i-Gentoo kunye ne-Fedora kunye ne-firejail utility efakwe.

Ingxaki yalungiswa kwi-firejail version 0.9.70. Njengolungiso lokhuseleko, unokuseta uqwalaselo (/etc/firejail/firejail.config) ukuba "akukho ukujoyina" kunye "nokunyanzela-nonewprivs ewe".

Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungazijonga iinkcukacha kwi ukulandela ikhonkco.


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa.

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.