Compare commits
10 Commits
6dce1c7d42
...
064df3a1c6
Author | SHA1 | Date |
---|---|---|
Go Compile | 064df3a1c6 | |
go-compile | 311ddecd26 | |
go-compile | 16f809bb5e | |
go-compile | 9ce23a6488 | |
go-compile | 5acde57e11 | |
go-compile | 8afecf5a95 | |
go-compile | 11a7ac2013 | |
go-compile | 2c4ebe71d9 | |
go-compile | 60177cebf2 | |
go-compile | c0a5e389d9 |
|
@ -0,0 +1,83 @@
|
|||
//go:build !windows
|
||||
|
||||
package aghos
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/AdguardTeam/golibs/errors"
|
||||
)
|
||||
|
||||
// protectedDirectories are directories which contain other application binaries,
|
||||
// as such AdGuard Home should never attempt store application data here, at risk of
|
||||
// overwriting other files. Moreover, these directories are innapproriate for storage of
|
||||
// config files or session storage.
|
||||
var protectedDirectories = []string{
|
||||
"/usr/bin",
|
||||
"/usr/sbin",
|
||||
"/user/bin",
|
||||
}
|
||||
|
||||
// serviceInstallDir is a executable path in a directory which secure permissions
|
||||
// which prevent the manipulation of the binary.
|
||||
const serviceInstallDir = "/usr/bin/AdGuardHome"
|
||||
|
||||
// SecureBinary is used before service.Install(). This function protects AdGuardHome from
|
||||
// privilege escalation vulnerabilities caused by writable files
|
||||
func SecureBinary() error {
|
||||
// Installalation can only be completed with root privileges, so check and handle if not
|
||||
if os.Getuid() != 0 {
|
||||
return errors.Error("permission denied. Root privileges required")
|
||||
}
|
||||
|
||||
// Get current file path
|
||||
binary, err := os.Executable()
|
||||
if err != nil {
|
||||
return fmt.Errorf("os.Executable(): %w", err)
|
||||
}
|
||||
|
||||
// Change owner to root:root
|
||||
err = os.Chown(binary, 0, 0)
|
||||
if err != nil {
|
||||
return fmt.Errorf("os.Chown() %q: %w", binary, err)
|
||||
}
|
||||
|
||||
// Set permissions to root(read,write,exec), group(read,exec), public(read)
|
||||
// This combined with changing the owner make the file undeletable without root privlages
|
||||
// UNLESS THE PARENT FOLDER IS WRITABLE!
|
||||
err = os.Chmod(binary, 0755)
|
||||
if err != nil {
|
||||
return fmt.Errorf("os.Chmod() %q: %w", binary, err)
|
||||
}
|
||||
|
||||
// Move binary to the PATH in a folder which is read-only to non root users
|
||||
// If already moved, this is a no-op
|
||||
err = os.Rename(binary, serviceInstallDir)
|
||||
if err != nil {
|
||||
return fmt.Errorf("os.Rename() %q to %q: %w", binary, serviceInstallDir, err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// CurrentDirAvaliable returns true if it is okay to use this directory to store application
|
||||
// data.
|
||||
func CurrentDirAvaliable() (bool, error) {
|
||||
binary, err := os.Executable()
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("os.Executable(): %w", err)
|
||||
}
|
||||
|
||||
for i := 0; i < len(protectedDirectories); i++ {
|
||||
// Check if binary is within a protected directory
|
||||
if strings.HasPrefix(binary, protectedDirectories[i]) {
|
||||
// The binary is within a protected directory
|
||||
return false, nil
|
||||
}
|
||||
}
|
||||
|
||||
// The binary is outside of all checked protected directories
|
||||
return true, nil
|
||||
}
|
|
@ -0,0 +1,47 @@
|
|||
//go:build windows
|
||||
|
||||
package aghos
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// securePrefixDirectories is a list of directories where a service binary
|
||||
// has the appropriate permissions to mitigate a binary planting attack
|
||||
var securePrefixDirectories = []string{
|
||||
"C:\\Program Files",
|
||||
"C:\\Program Files (x86)",
|
||||
|
||||
// Some Windows users place binaries within /Windows/System32 to add it to %PATH%
|
||||
"C:\\Windows",
|
||||
}
|
||||
|
||||
// SecureBinary is used before service.Install(). This function protects AdGuardHome from
|
||||
// privilege escalation vulnerabilities caused by writable files
|
||||
func SecureBinary() error {
|
||||
// Get current file path
|
||||
binary, err := os.Executable()
|
||||
if err != nil {
|
||||
return fmt.Errorf("os.Executable(): %w", err)
|
||||
}
|
||||
|
||||
for i := 0; i < len(securePrefixDirectories); i++ {
|
||||
// Check if binary is within a secure folder write protected folder
|
||||
if strings.HasPrefix(binary, securePrefixDirectories[i]) {
|
||||
// The binary is within a secure directory already
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
// No secure directories matched
|
||||
return fmt.Errorf("insecure binary location for service instalation: %q. Please view: https://adguard-dns.io/kb/adguard-home/running-securely/", binary)
|
||||
}
|
||||
|
||||
// CurrentDirAvaliable returns true if it is okay to use this directory to store application
|
||||
// data.
|
||||
func CurrentDirAvaliable() (bool, error) {
|
||||
// We do not mind what directory is used on Windows
|
||||
return true, nil
|
||||
}
|
|
@ -783,9 +783,25 @@ func initWorkingDir(opts options) (err error) {
|
|||
return err
|
||||
}
|
||||
|
||||
// Can we use the current directory to store application data?
|
||||
pwdAvaliable, err := aghos.CurrentDirAvaliable()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if opts.workDir != "" {
|
||||
// If there is a custom config file, use it's directory as our working dir
|
||||
Context.workDir = opts.workDir
|
||||
} else if !pwdAvaliable {
|
||||
// If running as a service and from /usr/bin/ use /var/lib for working dir instead of
|
||||
// /usr/bin/data
|
||||
Context.workDir = "/var/lib/AdGuardHome"
|
||||
|
||||
// Create dir if it does not already exist
|
||||
err := os.MkdirAll(Context.workDir, 0755)
|
||||
if err != nil {
|
||||
return fmt.Errorf("os.MkdirAll: %s: %w", Context.workDir, err)
|
||||
}
|
||||
} else {
|
||||
Context.workDir = filepath.Dir(execPath)
|
||||
}
|
||||
|
|
|
@ -308,6 +308,11 @@ func handleServiceStatusCommand(s service.Service) {
|
|||
|
||||
// handleServiceStatusCommand handles service "install" command
|
||||
func handleServiceInstallCommand(s service.Service) {
|
||||
// Set the binary's permissions and move to /usr/bin (if on linux)
|
||||
if err := aghos.SecureBinary(); err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
err := svcAction(s, "install")
|
||||
if err != nil {
|
||||
log.Fatalf("service: executing action %q: %s", "install", err)
|
||||
|
|
Loading…
Reference in New Issue