Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

os: OpenRoot follows symlinks #71806

Closed
glycerine opened this issue Feb 18, 2025 · 5 comments
Closed

os: OpenRoot follows symlinks #71806

glycerine opened this issue Feb 18, 2025 · 5 comments
Labels
BugReport Issues describing a possible bug in the Go implementation. Documentation Issues describing a change to documentation. NeedsFix The path to resolution is known, but the work has not been done.

Comments

@glycerine
Copy link

Go version

go version 1.24.0

Output of go env in your module/workspace:

see below.

What did you do?

Reading #67002 and https://go.dev/doc/go1.24#directory-limited-filesystem-access, I was under the impression that the new os.Root was supposed to return an error on root.Open() of a symlink to /etc/ and then opening /etc/passwd.

On MacOS Sonoma 14.0, go 1.24.0 amd64:

uname -a
Darwin jbook.chimera-bass.ts.net 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep 15 14\
:42:42 PDT 2023; root:xnu-10002.1.13~1/RELEASE_X86_64 x86_64

jaten@Js-MacBook-Pro ~/trash/root $ ln -s /etc symlink
ln -s /etc symlink
jaten@Js-MacBook-Pro ~/trash/root $ go run root.go
go run root.go
read file, got: '##
# User Database
# 
# Note that this file is consulted directly only when the system is running
# in single-user mode.  At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
... the rest of my /etc/passwd file elided for security reasons...
'
jaten@Js-MacBook-Pro ~/trash/root $ go version
go version
go version go1.24.0 darwin/amd64
jaten@Js-MacBook-Pro ~/trash/root $ cat root.go
cat root.go
package main

import (
	"fmt"
	"os"
)

func main() {
	root, err := os.OpenRoot("symlink")
	if err != nil {
		panic(err)
	}
	fd, err := root.Open("passwd")
	if err != nil {
		panic(err)
	}
	buf := make([]byte, 1<<20)
	n, err := fd.Read(buf)
	if err != nil {
		panic(err)
	}
	fmt.Printf("read file, got: '%v'\n", string(buf[:n]))
}
jaten@Js-MacBook-Pro ~/trash/root $

jaten@Js-MacBook-Pro ~/trash/root $ go env
go env
AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/jaten/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/jaten/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/b6/q5ms8t4x5cjcpcpyjrb1h91c0000gn/T/go-build4060061549=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='amd64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD=''
GOMODCACHE='/Users/jaten/go/pkg/mod'
GONOPROXY='github.com/glycerine/*'
GONOSUMDB='github.com/glycerine/*'
GOOS='darwin'
GOPATH='/Users/jaten/go'
GOPRIVATE='github.com/glycerine/*'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='off'
GOTELEMETRYDIR='/Users/jaten/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/darwin_amd64'
GOVCS=''
GOVERSION='go1.24.0'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you see happen?

See above.

What did you expect to see?

Not to be able to access /etc/password from an os.Root in /Users/jaten/trash/root.
@glycerine
Copy link
Author

glycerine commented Feb 18, 2025
edited
Loading

@neild if this is supposed to be allowed, perhaps clarify the docs?

"Symbolic links must not be absolute." <- I was not sure if/how that was supposed to apply to pre-existing absolute symlinks. I'd like to be able to chroot a directory with absolute symlinks already in it (since I have a ton of these), but just not have them followed if opened.

@gabyhelp
Copy link

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the BugReport Issues describing a possible bug in the Go implementation. label Feb 18, 2025
@seankhliao seankhliao changed the title os.Root() on macos follows absolute symlink to /etc os: OpenRoot follows symlinks Feb 18, 2025
@seankhliao
Copy link
Member

The parts you quote are only for methods, after you've opened a root.

Conceptually, the only safe way is to start from a trusted location, in your case os.OpenRoot("."), after which you can't follow links out.

@seankhliao seankhliao added the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label Feb 18, 2025
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/650355 mentions this issue: os: document that OpenRoot follows symlinks

@seankhliao seankhliao added Documentation Issues describing a change to documentation. NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. labels Feb 18, 2025
@neild
Copy link
Contributor

neild commented Feb 18, 2025
edited by gabyhelp
Loading

As @seankhliao says, the name passed to os.OpenRoot is expected to be a trusted path, and OpenRoot will follow symlinks in that path. Once you have an *os.Root, methods on the Root ensure that operations remain within that root. This is something the docs could probably be clearer on; sent CL 650355.

I'd like to be able to chroot a directory with absolute symlinks already in it (since I have a ton of these), but just not have them followed if opened.

If an operation in a Root would traverse an absolute symlink, the operation fails (even if the symlink resolves to a location inside the root). So I think Root behaves the way you want here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BugReport Issues describing a possible bug in the Go implementation. Documentation Issues describing a change to documentation. NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neild @glycerine @gopherbot @seankhliao @gabyhelp