From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 21 Feb 2012 14:23:46 -0500
Subject: [refpolicy] A few tweaks for the gitolite policy
In-Reply-To: <1329321693.8039.35.camel@i5.mricon.com>
References: <1329321693.8039.35.camel@i5.mricon.com>
Message-ID: <4F43EF42.4000602@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 2/15/2012 11:01 AM, Konstantin Ryabitsev wrote:
> ADCs are "Admin-defined commands" that come bundled with gitolite.
> Though they are normally not packaged, they are part of the gitolite
> distribution and are almost always installed by admins:
>
> http://sitaramc.github.com/gitolite/shipped_ADCs.html
>
> It would be welcome if the default gitosis policy allowed them to work.
> It already partially supports ADCs by permitting:
> exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)

This is something we want to avoid if possible.  Executing files that can also be written by the same domain is a good opening for arbitrary code execution.  It sounds like the files should be labeled something else, eg. gitosis_exec_t or gitosis_adc_t.

>  From my recent experience, it also requires the following:
>
>        * managing files in /tmp, as a couple of these ADCs use here-docs
>          (bash writes those out into /tmp/sh-thd-{timestamp} and then
>          reads them back in)
>        * ability to execute /usr/bin/gl-* (gitosis_exec_t) -- notably the
>          "fork" ADC relies on that.

I'd have to see the changes, but that seems reasonable..

> I don't submit a patch, because I wanted to leave it up to the
> maintainer's discretion whether to add support for the default ADCs.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com