Forbidden sqlite3 system call
Simon Stürz
timonmailinglist at gmail.com
Wed Nov 25 17:24:55 UTC 2015
On 2015-11-25 16:49, Alexander Sack wrote:
> On Mon, Nov 23, 2015 at 5:08 PM, Simon Stürz <timonmailinglist at gmail.com> wrote:
>> Hello everyone!
>>
>> I am trying quit a while to publish our IoT server guhIO in the snappy
>> store. Unfortunately that was not possible so far
>> because I had to use the security template "unconfined" (which is not a good
>> idea, but made the development process easier).
>>
>> The service guhd is written in Qt and uses the sqlite3 lib to write a log
>> database.
>> Now following happens:
>> - The service starts as root
>> - The service opens the database connection
>> - The db will be created in the snappy app data path:
>> /var/lib/apps/guhio.sideload/IGKUccPPYHOe/guhd.log
>> - The whole service crashes if he tries to create the database with
>> following code:
>>
>> QSqlQuery query;
>> query.exec("CREATE TABLE metadata (key varchar(10), data varchar(40));");
>>
>> So I checked the syslog:
>>
>> $ sudo snappy-debug.security scanlog
>>
>> = Seccomp =
>> Time: Nov 23 12:35:33
>> Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1307 comm="guhd"
>> exe="/apps/guhio.sideload/IGKUccPPYHOe/usr/bin/guhd" sig=31 arch=40000028
>> 207(fchown32) compat=0 ip=0x765fe836 code=0x0
>> Syscall: fchown32
>> Suggestions:
>> * don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of
>> 'cp -a')
>> * adjust program to not use 'fchown32'
>>
>> The strange thing: this code works on all systems (Debian Wheezy, Jessie and
>> Ubuntu 12.04 - 15.10 amd64, i386, armhf) except Ubuntu Core. :(
>>
>> So I tried to create the db file using QFile, changed the permissions (in
>> the code) before calling the sqlquery command, everything worked until....
>> query.exec(...) -> bad system call.
>>
>> What could cause this behaviour?
>> The suggestion: "adjust program to not use 'fchown32'" would mean: not using
>> sqlite3 for me...? That is not an option currently.
>> Is there anybody else using sqlite3 + Qt in a snapp?
>> Is there a possibility to use security templates or app armor to solve this
>> issue?
>> Why it is forbidden to call a fchown32() in the own snapp app data path? I
>> understand that the call should be unnecessary, but forbidden?
>>
>> I hope you guys can help me! :)
>
> Two things to start:
>
> 1. security team audits if fchown32 can be allowed for all apps.
> 2. if not let's try to understand why sqlite is doing fchown32 on a
> query... did you see this in code?
It looks like fchown will be used if the user id = 0 -> root.
http://www.sqlite.org/src/doc/trunk/src/os_unix.c
In my understanding, sqlite uses fchown() to change the ownership of the
db file if root is running the query...
to make shore this file will be owned by root after/before writing to
the file?
The strange thing is, the db file will be generated (0 Bytes), has the
correct privileges, but cannot be written.
I found this comment in the code (in the hope it will help):
/*
** On some systems, calls to fchown() will trigger a message in a security
** log if they come from non-root processes. So avoid calling fchown() if
** we are not running as root.
*/
maybe there will be used a fchown somewhere where it shouldn't be used?
Thanks for the help!
Simon
> maybe its code that only exists to
> workaround a scenario that can't happen on snappy systems and a clean
> upstream patch can be made to?
>
> CCing Jamie/Tyler for 1.
>
>
>
>> Cheers,
>> Simon
>>
>>
>> --
>> snappy-app-devel mailing list
>> snappy-app-devel at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/snappy-app-devel
More information about the snappy-app-devel
mailing list