Unsafe Browser - Insecure Permissions of chroot overlay
From https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/17 :
The chroot setup of /usr/local/sbin/unsafe-browse
r gives the low-privileged user amensia some control over a mount -t overlay
due to too broad permissions. However, due to the limited time of the code audit, we stopped following this path and decided to leverage this issue to the threat level N/A. Please note that this issue may lead to code execution as root.
Technical Description
The low-privileged user amnesia can run /usr/local/sbin/unsafe-browser
as root using sudo without a password.
(root) NOPASSWD: /usr/local/sbin/unsafe-browser \"\"
For the setup of the unsafe browser, a chroot is configured by invoking the function setup_chroot_for_browser
.
/usr/local/sbin/unsafe-browser
echo "* Setting up chroot"
setup_chroot_for_browser "${CHROOT}" "${COW}" "${BROWSER_USER}" || \
error "$(gettext "Failed to setup chroot.")"
Inside the setup_chroot_for_browser
function the cow
folder /var/lib/unsafe-browser
is mounted as tmpfs
via the command mount -t tmpfs tmpfs "${cow}"
. This means, every user on the system has full permission on the /var/lib/unsafe-browser/cow
folder. The low-privileged user amnesia could symlink the "${cow}/rw"
and "${cow}/work"
directory by exploiting a race condition on startup. As a result, the amnesia user could mount an overlay with attacker-controlled folders during the command mount -t overlay -o "noatime,lowerdir=${lowerdirs},upperdir=${cow}/rw,workdir=${cow}/work" overlay "${chroot}"
.
/usr/local/lib/tails-shell-library/chroot-browser.sh
# Setup a chroot on a clean overlayfs "fork" of the root filesystem.
setup_chroot_for_browser () {
local chroot="${1}"
local cow="${2}"
#......
local rootfs_dir
local rootfs_dirs_path="/lib/live/mount/rootfs"
local tails_module_path="/lib/live/mount/medium/live/Tails.module"
local lowerdirs=
mkdir -p "${cow}" "${chroot}"
mount -t tmpfs tmpfs "${cow}"
mkdir "${cow}/rw" "${cow}/work"
mount -t overlay -o "noatime,lowerdir=${lowerdirs},upperdir=${cow}/rw,workdir=${cow}/work" overlay "${chroot}"
chmod 755 "${chroot}"
Impact
It seems that mounting the overlay with the symlinks does not work at first glance. However, due to the limited time of the code audit, we stopped following this path and decided to leverage this issue to the threat level N/A. Please note that this issue may lead to code execution as root.
Recommendation
Ensure that no sensible operations are performed on the mounted tmps
folder /var/lib/unsafe-browser/cow
. Another option would be to make the permissions more strict after creating the directory /var/lib/unsafe-browser/cow
.