Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make visudo into a forbid(unsafe_code) module. #859

Open
squell opened this issue Sep 2, 2024 · 10 comments
Open

Make visudo into a forbid(unsafe_code) module. #859

squell opened this issue Sep 2, 2024 · 10 comments
Labels
C-visudo good first issue Good for newcomers

Comments

@squell
Copy link
Member

squell commented Sep 2, 2024
edited
Loading

visudo uses unsafe code at two spots n the fn create_temporary_dir. While visudo isn't part of the security critical boundary, it would be nice to remove them (or move them into the system module).
@squell squell added C-visudo good first issue Good for newcomers labels Sep 2, 2024
@squell squell mentioned this issue Sep 2, 2024
Merged
@dd-dreams
Copy link
Contributor

Is https://docs.rs/tempfile/latest/tempfile/fn.tempdir.html a good replacement? It's a small crate.
Otherwise, we could move the function to system module, or we can remove unsafe completely by just implementing a temporary directory pretty easily using env::temp_dir and creating a struct with custom drop.

@pvdrz
Copy link
Collaborator

pvdrz commented Sep 16, 2024

I'd lean to use an std function instead (I"m not sure if https://doc.rust-lang.org/std/env/fn.temp_dir.html does what we want). Adding a dependency that has unsafe code for a single function feels like putting the issue under the rug.

@dd-dreams
Copy link
Contributor

I have mis-copied before, I meant the link above I provided. You can use a std function, though I didn't find a way to use mkdtemp in std lib. You can create a temp dir manually.

@pvdrz
Copy link
Collaborator

pvdrz commented Sep 19, 2024

yeah we would have to come up with a random name for the directory ourselves and I'm not sure what would be the proper requirements for that. Maybe we could "just" move the mktemp wrapper to sudo and expose it so visudo can use it 🤔

@squell
Copy link
Member Author

squell commented Oct 7, 2024

I agree that just incorporating an extra dependency that uses the same kind of code would just be "sweeping it under the rug". One easy way would be to move it to system. Or we could investigate if fn.temp_dir suffices (but probably it doesn't or we would have already used that?)

@pvdrz
Copy link
Collaborator

pvdrz commented Oct 17, 2024

the issue with temp_dir is that it gives us the path to the temporary directory (/tmp/ in linux) but mktemp creates one random directory under the temporary directory.

So we could, in principle, call temp_dir and then mkdir a new directory with a random name under the temporary directory, but it could be a possible source of vulns.

I think moving this wrapper to system is the best solution.

@dd-dreams
Copy link
Contributor

temp_dir could suffice also because I'm not seeing any real danger implementing it ourselves, but moving it to system is also a good solution.

@pvdrz
Copy link
Collaborator

pvdrz commented Nov 14, 2024
edited
Loading

The advantage of just moving it to system is that we have the peace of mind that sudo has been using the same function
without issues for years.

@dd-dreams
Copy link
Contributor

Don't think its a good argument, but it's up to the maintainer.

@pvdrz
Copy link
Collaborator

pvdrz commented Nov 14, 2024

why?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-visudo good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@squell @pvdrz @dd-dreams