Forbidden sqlite3 system call

Alexander Sack asac at canonical.com
Fri Nov 27 12:04:09 UTC 2015 

On Wed, Nov 25, 2015 at 6:24 PM, Simon Stürz <timonmailinglist at gmail.com> wrote:
>
>
> On 2015-11-25 16:49, Alexander Sack wrote:
>>
>> On Mon, Nov 23, 2015 at 5:08 PM, Simon Stürz <timonmailinglist at gmail.com>
>> wrote:
>>>
>>> Hello everyone!
>>>
>>> I am trying quit a while to publish our IoT server guhIO in the snappy
>>> store. Unfortunately that was not possible so far
>>> because I had to use the security template "unconfined" (which is not a
>>> good
>>> idea, but made the development process easier).
>>>
>>> The service guhd is written in Qt and uses the sqlite3 lib to write a log
>>> database.
>>> Now following happens:
>>> - The service starts as root
>>> - The service opens the database connection
>>> - The db will be created in the snappy app data path:
>>> /var/lib/apps/guhio.sideload/IGKUccPPYHOe/guhd.log
>>> - The whole service crashes if he tries to create the database with
>>> following code:
>>>
>>>    QSqlQuery query;
>>>    query.exec("CREATE TABLE metadata (key varchar(10), data
>>> varchar(40));");
>>>
>>> So I checked the syslog:
>>>
>>> $ sudo snappy-debug.security scanlog
>>>
>>> = Seccomp =
>>> Time: Nov 23 12:35:33
>>> Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1307 comm="guhd"
>>> exe="/apps/guhio.sideload/IGKUccPPYHOe/usr/bin/guhd" sig=31 arch=40000028
>>> 207(fchown32) compat=0 ip=0x765fe836 code=0x0
>>> Syscall: fchown32
>>> Suggestions:
>>> * don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead
>>> of
>>> 'cp -a')
>>> * adjust program to not use 'fchown32'
>>>
>>> The strange thing: this code works on all systems (Debian Wheezy, Jessie
>>> and
>>> Ubuntu 12.04 - 15.10 amd64, i386, armhf) except Ubuntu Core. :(
>>>
>>> So I tried to create the db file using QFile, changed the permissions (in
>>> the code) before calling the sqlquery command, everything worked
>>> until....
>>> query.exec(...) -> bad system call.
>>>
>>> What could cause this behaviour?
>>> The suggestion: "adjust program to not use 'fchown32'" would mean: not
>>> using
>>> sqlite3 for me...? That is not an option currently.
>>> Is there anybody else using sqlite3 + Qt in a snapp?
>>> Is there a possibility to use security templates or app armor to solve
>>> this
>>> issue?
>>> Why it is forbidden to call a fchown32() in the own snapp app data path?
>>> I
>>> understand that the call should be unnecessary, but forbidden?
>>>
>>> I hope you guys can help me! :)
>>
>>
>> Two things to start:
>>
>>    1. security team audits if fchown32 can be allowed for all apps.
>>    2. if not let's try to understand why sqlite is doing fchown32 on a
>> query... did you see this in code?
>
> It looks like fchown will be used if the user id = 0 -> root.
>
> http://www.sqlite.org/src/doc/trunk/src/os_unix.c
>
> In my understanding, sqlite uses fchown() to change the ownership of the db
> file if root is running the query...
> to make shore this file will be owned by root after/before writing to the
> file?
>
> The strange thing is, the db file will be generated (0 Bytes), has the
> correct privileges, but cannot be written.
>
> I found this comment in the code (in the hope it will help):
>
> /*
> ** On some systems, calls to fchown() will trigger a message in a security
> ** log if they come from non-root processes.  So avoid calling fchown() if
> ** we are not running as root.
> */
>
> maybe there will be used a fchown somewhere where it shouldn't be used?

So they run this fchown unconditionally even if its not needed? If so
that would be an appropriate way to fix this upstream-style...


maybe change

  return osGeteuid() ? 0 : osFchown(fd,uid,gid);

to be more like:

  return osGeteuid() || osGeteuid() == uid ? 0 : osFchown(fd,uid,gid);

or differnt variant

  return osGeteuid() || !uid ? 0 : osFchown(fd,uid,gid);

Thanks!

>
> Thanks for the help!
> Simon
>
>>   maybe its code that only exists to
>> workaround a scenario that can't happen on snappy systems and a clean
>> upstream patch can be made to?
>>
>> CCing Jamie/Tyler for 1.
>>
>>
>>
>>> Cheers,
>>> Simon
>>>
>>>
>>> --
>>> snappy-app-devel mailing list
>>> snappy-app-devel at lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/snappy-app-devel
>
>

More information about the snappy-app-devel mailing list