From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C5325D538 for ; Fri, 14 Jul 2023 13:41:04 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9DAFD2F00A for ; Fri, 14 Jul 2023 13:40:34 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 14 Jul 2023 13:40:33 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8F7A341F79 for ; Fri, 14 Jul 2023 13:40:32 +0200 (CEST) Date: Fri, 14 Jul 2023 13:40:23 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20230615120329.28764-1-n.ullreich@proxmox.com> In-Reply-To: <20230615120329.28764-1-n.ullreich@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1689334028.ni4oeuf61z.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.071 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [plugin.pm, cifsplugin.pm, cephfsplugin.pm, proxmox.com, storage.pm, glusterfsplugin.pm, pluggin.pm, dirplugin.pm, nfsplugin.pm] Subject: Re: [pve-devel] [PATCH pve-storage/pve-manager v3 0/4] fix #623: show isos/vztmpl/snippets in subdirs X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jul 2023 11:41:04 -0000 On June 15, 2023 2:03 pm, Noel Ullreich wrote: > This patch fixes #623, allowing isos/vztmpl/snippets in subdirectories. > This feature is opt-in and can be set from the API, web interface or > with `pvesm`. >=20 > I addressed the security concerns raised by Fabian, now parent > directories in the path (i.e. `/my/path/../somewhere/`) are forbidded. > I have kept the permission to use symlinks, however, if this is a > security issue, symlinks can easily be forbidden as well. This, > however, would be a breaking change. w.r.t. the symlinks: symlinks are (still) allowed for the files themselves, which is okay. what is a bit strange is that the "size" of a symlinked iso is that of the symlink, not of the target, i.e., it depends on the name length instead of the content size ;) symlinks are not allowed (or rather, ignored) for the intermediate components, which I guess would be one of the main use cases for symlinks in the first place? having to link each file separately seems tedious.. I tried to think about possible "bad" scenarios with symlinked subdirs, but all of them are applicable to symlinked files as well and either - require direct write access to the storage directory hierarchy to allow the creation of "dangerous" symlinks (not exposed over the API) - an attacker-controlled host-mounted subvol that is mounted below the iso/template/.. content dir (which is actually a variant of the above I guess) with the size and dir parts addressed, and the small nit I noted inline with patch #1, consider this Reviewed-by: Fabian Gr=C3=BCnbichler unless somebody comes up with a symlink-related attack scenario that would be exploitable on a regular PVE setup which I missed, of course ;) > parts of the tests as well as the regex for checking, if a `/../` is in > the path have been taken and/or adapted from an older patch that was > never merged: > https://lists.proxmox.com/pipermail/pve-devel/2020-May/043622.html >=20 > This is a complete rework from v1, so I don't see a point in writing > what the differences are. It's all different. >=20 > ---- > changes from v2: > * rebased so that applying with new structure in pve-storage works=20 > (/PVE was moved to /src/PVE/) > * fixed the path of the volid for snippets in Pluggin.pm (thanks @Markus) >=20 > Noel Ullreich (4): >=20 > pve-storage: > recursively go through subdirs to find files > add `subdir-depth` option to filesystems > update test for recursive subdir search >=20 > src/PVE/Storage.pm | 7 +++ > src/PVE/Storage/CIFSPlugin.pm | 1 + > src/PVE/Storage/CephFSPlugin.pm | 1 + > src/PVE/Storage/DirPlugin.pm | 1 + > src/PVE/Storage/GlusterfsPlugin.pm | 1 + > src/PVE/Storage/NFSPlugin.pm | 1 + > src/PVE/Storage/Plugin.pm | 63 +++++++++++++++++---------- > src/test/filesystem_path_test.pm | 18 ++++++++ > src/test/list_volumes_test.pm | 68 ++++++++++++++++++++++++++++++ > src/test/parse_volname_test.pm | 40 ++++++++++++++++++ > 10 files changed, 179 insertions(+), 22 deletions(-) >=20 > pve-manager: > www/manager6/storage/Base.js | 11 +++++++++++ > 1 file changed, 11 insertions(+) > --=20 > 2.30.2 >=20 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20