Re: debix-imager searches sponsor
Duck <duck@duckcorp.org> writes:
> P.S. : i don't c the point of creating/finalizing, could u add a full exemple
> with explanations in ur pkg ?
Yep. I'm thinking about some more docs than the manpage.
The short version follows.
"create" creates a subdir with the loopback file, the mountpoint and a
state file in it owned by root.user with mode 750 (rwxr-x---).
As you see the user can read the files but not change anything. The
loopback file is also mounted nosetuid so that setuid bins can't be
used to gain root.
Then you do your work manipulating the image. That can be running
debootstrap, tar or (after tainting the image, not yet implemented)
direct write access as user. chown/chmod/cp/cat calls will be added
too.
When one is done one has to finalize the operation to get the loopback
file umounted, chowned user.user and chmoded to 664 (-rw-rw-r--).
The destroy opertion will skip the chown/mod and just umount and
cleanup.
Why is all that neccessary you might ask? If the user had write access
to the image he could manipulate the image while it is mounted and
thereby crash the kernel or maybe even execute code in kernelspace.
The FS drivers are pretty vulnerable against changes. Also one could
start debootstrap and then change some postinst scripts on th fly to
gain root. There is ample time to locate and change them in the image
between unpacking and execution.
MfG
Goswin
Reply to: