lacks handling of (not-so-)special cases in pa_make_secure_dir()

Submitted by Michael Shigorin

Assigned to pul..@..op.org

Description

Created attachment 56630 strace output

As of pulseaudio-1.1, both src/daemon/main.c::change_user() and src/pulsecore/core-util.c::pa_make_secure_dir() are pretty ignorant of target directory being already there with proper permissions and rush to mkdir()/fchown()/fchmod() for no good reason.

My original problem occurs on r/o NFSv3 Linux 2.6.32 thin client root filesystem while trying to run pulseaudio --system (used to work like charm with 0.9.5):

pulseaudio --system

Here's localhost test re-run with r/w ext4 rootfs:

pulseaudio --system -v -v

W: [pulseaudio] main.c: Running in system mode, but --disallow-exit not set! W: [pulseaudio] main.c: Running in system mode, but --disallow-module-loading not set! N: [pulseaudio] main.c: Running in system mode, forcibly disabling SHM mode! N: [pulseaudio] main.c: Running in system mode, forcibly disabling exit idle time! D: [pulseaudio] core-rtclock.c: Timer slack is set to 50 us. D: [pulseaudio] core-util.c: setpriority() worked. I: [pulseaudio] core-util.c: Successfully gained nice level -11. I: [pulseaudio] main.c: Found user 'pulse' (UID 144) and group 'pulse' (GID 56). I: [pulseaudio] main.c: Successfully dropped root privileges. I: [pulseaudio] main.c: This is PulseAudio 1.1 D: [pulseaudio] main.c: Compilation host: i586-alt-linux-gnu D: [pulseaudio] main.c: Compilation CFLAGS: -pipe -Wall -g -O2 -march=i586 -mtune=i686 -W -Wextra -Wno-long-long -Wvla -Wno-overlength-strings -Wunsafe-loop-optimizations -Wundef -Wformat=2 -Wlogical-op -Wsign-compare -Wformat-security -Wmissing-include-dirs -Wformat-nonliteral -Wpointer-arith -Winit-self -Wdeclaration-after-statement -Wfloat-equal -Wmissing-prototypes -Wredundant-decls -Wmissing-declarations -Wmissing-noreturn -Wshadow -Wendif-labels -Wcast-align -Wstrict-aliasing -Wwrite-strings -Wno-unused-parameter -ffast-math -Wp,-D_FORTIFY_SOURCE=2 -fno-common -fdiagnostics-show-option D: [pulseaudio] main.c: Running on host: Linux i686 3.2.2-std-pae-alt1 #1 SMP Wed Feb 1 06:39:46 UTC 2012 D: [pulseaudio] main.c: Found 2 CPUs. I: [pulseaudio] main.c: Page size is 4096 bytes D: [pulseaudio] main.c: Compiled with Valgrind support: no D: [pulseaudio] main.c: Running in valgrind mode: no D: [pulseaudio] main.c: Running in VM: no D: [pulseaudio] main.c: Optimized build: yes D: [pulseaudio] main.c: All asserts enabled. I: [pulseaudio] main.c: Machine ID is afe81388ef56429371ec614748402b92. E: [pulseaudio] core-util.c: Failed to create secure directory: Operation not permitted

getent passwd pulse

pulse:x:144:56:Pulseaudio daemon:/var/run/pulse:/dev/null

ls -ld /var/run/pulse

drwxrwx--x 2 root pulse 4096 Nov 17 15:46 /var/run/pulse

/var/run/pulse (0771,root,pulse) and the user/group prepared by ALT Linux pulseaudio-system subpackage in both cases.

Syscalls up to the finishing rmdir() (included as a beacon not as a culprit, full strace output attached):

umask(022) = 022 mkdir("/var/run/pulse", 0755) = -1 EEXIST (File exists) umask(022) = 022 open("/var/run/pulse", O_RDONLY|O_NOCTTY|O_LARGEFILE|O_NOFOLLOW|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFDIR|0771, st_size=4096, ...}) = 0 getuid32() = 144 getgid32() = 56 fchown32(3, 144, 56) = -1 EPERM (Operation not permitted) rmdir("/var/run/pulse") = -1 EACCES (Permission denied)

Seen also: https://bugzilla.redhat.com/show_bug.cgi?id=508072 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1299

Attachment 56630, "strace output":
pulseaudio-system.strace

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information