checkpath: fix CVE-2018-21269

This walks the directory path to the file we are going to manipulate to make
sure that when we create the file and change the ownership and permissions
we are working on the same file.
Also, all non-terminal symbolic links must be owned by root. This will
keep a non-root user from making a symbolic link as described in the
bug. If root creates the symbolic link, it is assumed to be trusted.

On non-linux platforms, we no longer follow non-terminal symbolic links
by default. If you need to do that, add the -s option on the checkpath
command line, but keep in mind that this is not secure.

This fixes #201.

1 files changed, 6 insertions, 0 deletions

diff --git a/man/openrc-run.8 b/man/openrc-run.8
index 1102daaa..ec4b88de 100644
--- a/man/openrc-run.8
+++ b/man/openrc-run.8
@@ -461,6 +461,7 @@ Mark the service as inactive.
 .Op Fl p , -pipe
 .Op Fl m , -mode Ar mode
 .Op Fl o , -owner Ar owner
+.Op Fl s , -symlinks
 .Op Fl W , -writable
 .Op Fl q , -quiet
 .Ar path ...
@@ -481,6 +482,11 @@ or with names, and are separated by a colon.
 The truncate options (-D and -F) cause the directory or file to be
 cleared of all contents.
 .Pp
+If -s is not specified on a non-linux platform, checkpath will refuse to
+allow non-terminal symbolic links to exist in the path. This is for
+security reasons so that a non-root user can't create a symbolic link to
+a root-owned file and take ownership of that file.
+.Pp
 If -W is specified, checkpath checks to see if the first path given on
 the command line is writable.  This is different from how the test
 command in the shell works, because it also checks to make sure the file