From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH container v4 24/27] restore tar archive: check potentially untrusted archive
Date: Thu, 14 Nov 2024 16:07:51 +0100 [thread overview]
Message-ID: <20241114150754.374376-25-f.ebner@proxmox.com> (raw)
In-Reply-To: <20241114150754.374376-1-f.ebner@proxmox.com>
'tar' itself already protects against '..' in component names and
strips absolute member names when extracting (if not used with the
--absolute-names option) and in general seems sane for extracting.
Additionally, the extraction already happens in the user namespace
associated to the container. So for now, start out with some basic
sanity checks. The helper can still be extended with more checks.
Checks:
* list files in archive - will already catch many corrupted/bogus
archives.
* check that there are at least 10 members - should also catch
archives not actually containing a container root filesystem or
structural issues early.
* check that /sbin directory or link exists in archive - ideally the
check would be for /sbin/init, but this cannot be done efficiently
before extraction, because it would require to keep track of the
whole archive to be able to follow symlinks.
* abort if there is a multi-volume member in the archive - cheap and
is never expected.
Checks that were considered, but not (yet) added:
* abort when a file has unrealistically large size - while this could
help to detect certain kinds of bogus archives, there can be valid.
use cases for extremely large sparse files, so it's not clear what
a good limit would be (1 EiB maybe?). Also, an attacker could just
adapt to such a limit creating multiple files and the actual
extraction is already limited by the size of the allocated container
volume.
* check that /sbin/init exists after extracting - cannot be done
efficiently before extraction, because it would require to keep
track of the whole archive to be able to follow symlinks. During
setup there already is detection of /etc/os-release, so issues with
the structure will already be noticed. Adding a hard fail for
untrusted archives would require either passing that information to
the setup phase or extracting the protected_call method from there
into a helper.
* adding 'restrict' to the (common) tar flags - the tar manual (not
the man page) documents: "Disable use of some potentially harmful
'tar' options. Currently this option disables shell invocation from
multi-volume menu.". The flag was introduced in 2005 and this is
still the only thing it is used for. Trying to restore a
multi-volume archive already fails without giving multiple '--file'
arguments and '--multi-volume', so don't bother adding the flag.
* check format of tar file - would require yet another invocation of
the decompressor and there seems to be no built-in way to just
display the format with 'tar'. The 'file' program could be used, but
it seems to not make a distinction between old GNU and GNU and old
POSIX and POSIX formats, with the old ones being candidates to
prohibit. So that would leave just detecting the old 'v7' format.
Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
No changes in v4.
src/PVE/LXC/Create.pm | 67 ++++++++++++++++++++++++++++++++++++++++---
1 file changed, 63 insertions(+), 4 deletions(-)
diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index d2f675e..bf424f6 100644
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -99,12 +99,65 @@ my sub tar_compression_option {
}
}
+# Basic checks trying to detect issues with a potentially untrusted or bogus tar archive.
+# Just listing the files is already a good check against corruption.
+# 'tar' itself already protects against '..' in component names and strips absolute member names
+# when extracting, so no need to check for those here.
+my sub check_tar_archive {
+ my ($archive) = @_;
+
+ print "checking archive..\n";
+
+ # To resolve links to get to 'sbin/init' would mean keeping track of everything in the archive,
+ # because the target might be ordered first. Check only that 'sbin' exists here.
+ my $found_sbin;
+
+ # Just to detect bogus archives, any valid container filesystem should have more than this.
+ my $required_members = 10;
+ my $member_count = 0;
+
+ my $check_file_list = sub {
+ my ($line) = @_;
+
+ # The date is in ISO 8601 format. The last part contains the potentially quoted file name,
+ # potentially followed by some additional info (e.g. where a link points to).
+ my ($type, $perms, $uid, $gid, $size, $date, $time, $file_info) =
+ $line =~ m!^([a-zA-Z\-])(\S+)\s+(\d+)/(\d+)\s+(\d+)\s+(\S+)\s+(\S+)\s+(.*)$!;
+
+ die "found multi-volume member in archive\n" if $type eq 'M';
+
+ if (!$found_sbin && (
+ ($file_info =~ m!^(?:\./)?sbin/$! && $type eq 'd')
+ || ($file_info =~ m!^(?:\./)?sbin ->! && $type eq 'l')
+ || ($file_info =~ m!^(?:\./)?sbin link to! && $type eq 'h')
+ )) {
+ $found_sbin = 1;
+ }
+
+ $member_count++;
+ };
+
+ my $compression_opt = tar_compression_option($archive);
+
+ my $cmd = ['tar', '-tvf', $archive];
+ push $cmd->@*, $compression_opt if $compression_opt;
+ push $cmd->@*, '--numeric-owner';
+
+ PVE::Tools::run_command($cmd, outfunc => $check_file_list);
+
+ die "no 'sbin' directory (or link) found in archive '$archive'\n" if !$found_sbin;
+ die "less than 10 members in archive '$archive'\n" if $member_count < $required_members;
+}
+
my sub restore_tar_archive_command {
- my ($conf, $compression_opt, $rootdir, $bwlimit) = @_;
+ my ($conf, $compression_opt, $rootdir, $bwlimit, $untrusted) = @_;
my ($id_map, $root_uid, $root_gid) = PVE::LXC::parse_id_maps($conf);
my $userns_cmd = PVE::LXC::userns_command($id_map);
+ die "refusing to restore privileged container backup from external source\n"
+ if $untrusted && ($root_uid == 0 || $root_gid == 0);
+
my $cmd = [@$userns_cmd, 'tar', 'xpf', '-'];
push $cmd->@*, $compression_opt if $compression_opt;
push $cmd->@*, '--totals';
@@ -127,7 +180,7 @@ my sub restore_tar_archive_command {
}
sub restore_tar_archive {
- my ($archive, $rootdir, $conf, $no_unpack_error, $bwlimit) = @_;
+ my ($archive, $rootdir, $conf, $no_unpack_error, $bwlimit, $untrusted) = @_;
my $archive_fh;
my $tar_input = '<&STDIN';
@@ -142,7 +195,12 @@ sub restore_tar_archive {
$tar_input = '<&'.fileno($archive_fh);
}
- my $cmd = restore_tar_archive_command($conf, $compression_opt, $rootdir, $bwlimit);
+ if ($untrusted) {
+ die "cannot verify untrusted archive on STDIN\n" if $archive eq '-';
+ check_tar_archive($archive);
+ }
+
+ my $cmd = restore_tar_archive_command($conf, $compression_opt, $rootdir, $bwlimit, $untrusted);
if ($archive eq '-') {
print "extracting archive from STDIN\n";
@@ -170,7 +228,7 @@ sub restore_external_archive {
my $tar_path = $info->{'tar-path'}
or die "did not get path to tar file from backup provider\n";
die "not a regular file '$tar_path'" if !-f $tar_path;
- restore_tar_archive($tar_path, $rootdir, $conf, $no_unpack_error, $bwlimit);
+ restore_tar_archive($tar_path, $rootdir, $conf, $no_unpack_error, $bwlimit, 1);
} elsif ($mechanism eq 'directory') {
my $directory = $info->{'archive-directory'}
or die "did not get path to archive directory from backup provider\n";
@@ -189,6 +247,7 @@ sub restore_external_archive {
'.',
];
+ # archive is trusted, we created it
my $extract_cmd = restore_tar_archive_command($conf, undef, $rootdir, $bwlimit);
eval { PVE::Tools::run_command([$create_cmd, $extract_cmd]); };
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-11-14 15:16 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-14 15:07 [pve-devel] [PATCH-SERIES qemu/common/storage/qemu-server/container/manager v4 00/27] backup provider API Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu v4 01/27] PVE backup: add target ID in backup state Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu v4 02/27] PVE backup: get device info: allow caller to specify filter for which devices use fleecing Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu v4 03/27] PVE backup: implement backup access setup and teardown API for external providers Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu v4 04/27] PVE backup: implement bitmap support for external backup access Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH common v4 05/27] test: lock file: get rid of END block that made test always pass Fiona Ebner
2024-11-14 19:46 ` [pve-devel] applied: " Thomas Lamprecht
2024-11-14 15:07 ` [pve-devel] [PATCH common v4 06/27] tools: run fork: allow running code in parent after fork Fiona Ebner
2024-11-14 19:46 ` [pve-devel] applied: " Thomas Lamprecht
2024-11-14 15:07 ` [pve-devel] [PATCH common v4 07/27] test: have lock file test use run_fork() helper Fiona Ebner
2024-11-14 19:46 ` [pve-devel] applied: " Thomas Lamprecht
2024-11-14 15:07 ` [pve-devel] [PATCH storage v4 08/27] add storage_has_feature() helper function Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH storage v4 09/27] plugin: introduce new_backup_provider() method Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH storage v4 10/27] extract backup config: delegate to backup provider for storages that support it Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [POC storage v4 11/27] add backup provider example Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [POC storage v4 12/27] WIP Borg plugin Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu-server v4 13/27] backup: keep track of block-node size for fleecing Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu-server v4 14/27] module config: load nbd module at boot Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu-server v4 15/27] backup: allow adding fleecing images also for EFI and TPM Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu-server v4 16/27] backup: implement backup for external providers Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu-server v4 17/27] backup: implement restore " Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH qemu-server v4 18/27] backup restore: external: hardening check for untrusted source image Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH container v4 19/27] add LXC::Namespaces module Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH container v4 20/27] backup: implement backup for external providers Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH container v4 21/27] backup: implement restore " Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH container v4 22/27] external restore: don't use 'one-file-system' tar flag when restoring from a directory Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH container v4 23/27] create: factor out compression option helper Fiona Ebner
2024-11-14 15:07 ` Fiona Ebner [this message]
2024-11-14 15:07 ` [pve-devel] [PATCH container v4 25/27] api: add early check against restoring privileged container from external source Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH manager v4 26/27] ui: backup: also check for backup subtype to classify archive Fiona Ebner
2024-11-14 15:07 ` [pve-devel] [PATCH manager v4 27/27] backup: implement backup for external providers Fiona Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241114150754.374376-25-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox