New issue
Advanced search Search tips

Issue 836804 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Security: Don't use env variables in atrusd Upstart config file

Project Member Reported by jorgelo@chromium.org, Apr 25 2018

Issue description

https://chromium.googlesource.com/chromiumos/third_party/atrusctl/+/master/init/atrusd.conf#13

env chroot=/tmp/atrusd_chroot
pre-start script
  mkdir -p "$chroot/dev" "$chroot/lib/firmware/google" "$chroot/run/udev" \
           "$chroot/sys" "$chroot/tmp" "$chroot/usr/sbin" "$chroot/run/dbus"
end script

Does atrusd need to track this with an environment variable? This would allow a compromised Chrome browser process (or other process with privilege to talk to Upstart) to make Upstart create these directories anywhere.

If possible, just hardcode the directories.

Assigning to Emil since he wrote the original code, hopefully you can route appropriately. As per our guidelines at https://chromium.googlesource.com/chromiumos/docs/+/master/security_severity_guidelines.md, this is medium severity since it could be dangerous when combined with other bugs. Medium severity bugs get normally assigned to the latest stable milestone. Given that this runs on CFM, we might be OK with just fixing on ToT though.
 

Comment 1 by lndmrk@chromium.org, Apr 26 2018

Status: Started (was: Assigned)
No, it's not really necessary, just used for code-reuse. It should be an easy fix.
Labels: -M-66 M-68
Thanks! I'm gonna tag this as M68 to signal the fact that we don't need to cherry-pick to branches.
Components: Security
As explained by mnissler, I confused "env" with "import". Feel free to close this as WontFix.
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Stable -Security_Severity-Medium Type-Bug

Comment 6 by lndmrk@chromium.org, May 15 2018

Status: WontFix (was: Started)

Sign in to add a comment