1212866 – AUDIT-FIND: gromox: gromox-snapshot running as root unnecessarily since v2.10

Bug 1212866 - AUDIT-FIND: gromox: gromox-snapshot running as root unnecessarily since v2.10

Summary: AUDIT-FIND: gromox: gromox-snapshot running as root unnecessarily since v2.10

Status:	RESOLVED NORESPONSE

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Jan Engelhardt
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-29 14:59 UTC by Wolfgang Frisch
Modified:	2023-07-24 18:30 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2023-06-29 14:59:02 UTC

openSUSE:Factory/gromox was recently updated with a change to one of its systemd services:

> -RPM: gromox-2.9-1.2.x86_64.rpm on x86_64
> +RPM: gromox-2.10-1.1.x86_64.rpm on x86_64
>  Package: gromox
>  Service path: /usr/lib/systemd/system/gromox-snapshot.service
> -Runs as: gromox:gromox
> +Runs as: root:root
>  Exec lines:
>      ExecStart=/usr/libexec/gromox/gromox-snapshot

The last version of gromox-snapshot did not require root,
so we should consider if this is necessary at all.

Comment 1 Wolfgang Frisch 2023-06-29 15:34:13 UTC

gromox-snapshot manages btrfs snapshots of mailboxes.

Its functionality is implemented as a standalone program under `tools/snapshot.cpp` which is rather small and, at first sight, has no obvious problems, apart from maybe the config file parser that I did not look into.

The program uses `/usr/sbin/btrfs` to execute all snapshot operations. Snapshot creation does not require root privileges. However gromox-2.10 gained the ability to purge (delete) old snapshots via `btrfs subvolume delete` which *does* require root after all, hence this change in the system service.

The impact of a hypothetical vulnerability is wisely limited with several systemd hardenings:

> PrivateDevices=no
> PrivateNetwork=yes
> PrivateUsers=no
> ProtectKernelTunables=yes
> ProtectKernelModules=yes
> ProtectControlGroups=yes
> MemoryDenyWriteExecute=yes
> SystemCallFilter=@default @file-system @basic-io @system-service

Fine so far.


However it appears we don't need root at all, thanks to a new-ish btrfs feature introduced with Linux 4.18: rmdir_subvol.

Quote from the btrfs(5) man page:

> Historically, any user could create a snapshot even if he was not owner
> of the source subvolume, the subvolume deletion has been restricted for
> that reason. The subvolume creation has been restricted but this mount
> option is still required. This is a usability issue. Since 4.18, the
> rmdir(2) syscall can delete an empty subvolume just like an ordinary
> directory. Whether this is possible can be detected at runtime, see
> rmdir_subvol feature in FILESYSTEM FEATURES.

The presence of this feature is indicated by the existence of 
`/sys/fs/btrfs/features/rmdir_subvol`, which is the case on openSUSE Tumbleweed and should be the case for openSUSE Leap 15.2 and later.

In short: It should be sufficient to simply delete the snapshot directory recursively in order to purge the snapshot, as long as we have kernel 4.18+ with the `rmdir_subvol` btrfs feature enabled.

gromox-snapshot should check for the presence of this feature via sysfs, and retain the old code path for compatibility with older distros, who can then patch the systemd file to run as root:root.

Comment 2 Wolfgang Frisch 2023-06-29 15:42:36 UTC

https://github.com/grommunio/gromox/issues/61

Comment 3 Jan Engelhardt 2023-07-24 18:30:40 UTC

No further comments were posted on Github.