Qualys ta gano rauni guda biyu (CVE-2021-44731, CVE-2021-44730) a cikin kayan aikin snap-confine, wanda aka aika tare da tutar tushen SUID kuma tsarin snapd ya kira don ƙirƙirar yanayi mai aiwatarwa don aikace-aikacen da aka aika a cikin fakitin snap mai zaman kansa. Rashin raunin yana bawa mai amfani na gida, mara gata damar aiwatar da lambar tare da gata na tushen akan tsarin. An gyara matsalolin a cikin sabuntawar kunshin snapd na yau don Ubuntu 21.10, 20.04 da 18.04.
Rashin lahani na farko (CVE-2021-44730) yana ba da damar kai hari ta hanyar sarrafa hanyar haɗin gwiwa, amma yana buƙatar kashe tsarin kariyar hanyar haɗin kai (saitin sysctl fs.protected_hardlinks zuwa 0). Matsalar tana faruwa ne ta hanyar tabbatar da kuskuren wurin da fayilolin da za a iya aiwatarwa na shirye-shiryen snap-update-ns da snap-discard-ns helper shirye-shirye suna gudana azaman tushen. Hanyar zuwa waɗannan fayilolin an ƙididdige su a cikin aikin sc_open_snapd_tool() dangane da nasa hanyar daga /proc/self/exe, wanda ke ba ku damar ƙirƙirar hanyar haɗi mai wuya don ɗaukar hoto a cikin kundin ku kuma sanya nau'ikan ku na snap- update-ns da snap utilities a cikin wannan directory discard-ns. Bayan gudana ta hanyar hanyar haɗin yanar gizo mai wuya, snap-confine tare da haƙƙin tushen za su ƙaddamar da fayilolin snap-update-ns da snap-discard-ns daga kundin adireshi na yanzu, wanda maharin ya maye gurbinsa.
Lalacewar ta biyu tana faruwa ne sakamakon yanayin tsere kuma ana iya amfani da ita a cikin tsarin Ubuntu A cikin Desktop ta asali. Domin aikin ya yi aiki cikin nasara a ciki Ubuntu Sabar tana buƙatar zaɓi lokacin shigar da ɗaya daga cikin fakitin daga sashin "Featured Server Snaps". Yanayin tsere yana faruwa a cikin aikin setup_private_mount(), wanda ake kira lokacin shirya wurin sanya suna don fakitin snap. Wannan aikin yana ƙirƙirar babban fayil na ɗan lokaci "/tmp/snap.$SNAP_NAME/tmp" ko kuma yana amfani da wanda ke akwai don haɗa kundin adireshi don fakitin snap.
Tun da sunan kundin adireshin wucin gadi yana da tsinkaya, mai hari zai iya maye gurbin abubuwan da ke ciki tare da hanyar haɗi na alama bayan ya duba mai shi, amma kafin kiran tsarin dutsen. Misali, zaku iya ƙirƙirar symlink "/tmp/snap.lxd/tmp" a cikin /tmp/snap.lxd directory yana nuni zuwa ga directory na sabani, kuma kira zuwa dutse () zai bi alamar alamar kuma ya hau directory a cikin karye sunaye. Hakazalika, zaku iya hawan abubuwan ku a cikin /var/lib kuma, ta maye gurbin /var/lib/snapd/mount/snap.snap-store.user-fstab, tsara hawan kundin adireshin ku / sauransu a cikin sunan sararin samaniya na fakitin karye don tsara lodin ɗakin karatu daga tare da tushen haƙƙoƙin ta maye gurbin /etc/ld.so.preload.
An lura cewa ƙirƙirar cin zarafi ya zama aikin da ba ƙaramin aiki ba, tun lokacin da aka rubuta abin amfani da snap-confine a cikin Go ta amfani da amintattun dabarun tsara shirye-shirye, yana da kariya dangane da bayanan martaba na AppArmor, yana tace kiran tsarin bisa tsarin na biyu, kuma yana amfani da shi. da dutsen namespace domin kadaici. Duk da haka, masu bincike sun iya shirya wani aiki mai amfani don samun tushen hakkoki akan tsarin. Za a buga lambar amfani a cikin 'yan makonni bayan masu amfani sun shigar da sabuntawar da aka bayar.
source: budenet.ru
