Bug #1286
closedsession daemon should validate credentials received from application (lttng-ust)
100%
Description
Looking at ustctl_recv_reg_msg() , I notice that the session daemon fails to validate the pid and uid credentials it receives from the application, thus trusting them blindly. This means a non-root application could theoretically impersonate a root application from a tracing perspective, and thus access root tracing buffers in a per-uid configuration, which is unwanted. I remember that initially we had no validation of the pid provided by the application because original lttng 2.0 only supported per-pid buffers and had per application tracing buffers only, so it did not cause any issue other than mislabeling the trace directory. However, now that the buffers can be shared between processes belonging to the same uid, this needs to be validated by the session daemon, and it's not.
So the quick fix here would be to validate on the session daemon side that the credentials provided by the application match those from a sessiond perspective through unix socket credentials (getsockopt(2) SO_PEERCRED on Linux and LOCAL_PEERCRED on BSD). That would however mean that sessiond would refuse applications that come from separate namespaces if the credentials don't match.
Tweaking liblttng-ust-comm/lttng-ust-comm.c:ustcomm_send_reg_msg() to send dummy credentials shows that the session daemon indeed trusts the application blindly.
Files
Updated by Mathieu Desnoyers about 4 years ago
- File 0001-Fix-Use-unix-socket-peercred-for-pid-uid-gid-credent.patch 0001-Fix-Use-unix-socket-peercred-for-pid-uid-gid-credent.patch added
- Status changed from New to In Progress
- Assignee set to Mathieu Desnoyers
Updated by Mathieu Desnoyers almost 4 years ago
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
Applied in changeset lttng-ust|a834901f2890deadb815d7f9e3ab79c3ba673994.