Hacker News new | ask | show | jobs
by IvyMike 4067 days ago
I think DasIch is saying "why allow file(1) to open sockets, write to arbitrary files, and run external programs"?

Given the correct input, at least a month ago, it could do all of those things.

(I am not sure that attempting to enforce this within the file(1) binary is optimal... after all, even though the attack surface is much reduced, file(1) could still have a bug somewhere prior to the sandboxing. If you could do a "chpriv -write_to_disk -socket -run_external_program /bin/file" that the OS would enforce, that would be cool. Someone should create that.)
2 comments
raldi 4067 days ago
> why allow file() to open sockets

If by "open sockets" you mean open existing sockets in read-only mode, it's so that it can identify them as sockets. If by "open sockets" you mean create new sockets, I don't think it does do that:

https://github.com/threatstack/libmagic/search?utf8=%E2%9C%9...

> write to arbitrary files

It appears it only does this if running on OS/2 and investigating what's inside a compressed file. Under these conditions, a temporary file is necessary for platform-specific reasons:

https://github.com/threatstack/libmagic/blob/3dea7072b8d7e92...

https://github.com/threatstack/libmagic/blob/3dea7072b8d7e92...

It also writes to a non-arbitrary mmapped file (the magic database), because that's how such databases work; you query them by writing to them in a particular way:

https://github.com/threatstack/libmagic/blob/3dea7072b8d7e92...

> run external programs

I can't find any examples where it does that. Do you know of any?

link
IvyMike 4067 days ago
"It may be possible for such an attacker to execute arbitrary code with the privileges of the user running file(1)."

This is what I am saying...given the right input, file(1) could do anything and everything. Yes, it's only due to a bug in file(1), but still that's kind of ridiculous.

We have all sorts of things in place to protect against other bugs (for example, segmentation faults), and there's 27 years of evidence that we need some more help.

link
bandrami 4067 days ago
Yes, it's only due to a bug in file(1), but still that's kind of ridiculous

I point again to:

http://en.wikipedia.org/wiki/Halting_problem

If you are reading in from a file, and you make decisions that are complex enough to be S- and K- combinators (or a concept of "if" and "jump", or some other minimal set), then you have given an attacker a Turing machine.

link
IvyMike 4067 days ago
I agree.

But what I'm saying is that the Turing machine should not be connected to a gun. And being hooked up to an idle gun should not be the default for every program.

link
bandrami 4067 days ago
why allow file(1) to open sockets, write to arbitrary files, and run external programs

Well, there's not code in file(1) to do that, but there's code that reads data in and makes decisions based on that data. Which means, if your attacker is more careful than the programmer was, you have possibly given that attacker a Turing machine.

link