about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorKartik K. Agaram <vc@akkartik.com>2022-02-20 04:57:01 -0800
committerKartik K. Agaram <vc@akkartik.com>2022-02-20 05:01:28 -0800
commitf8f1ec666afd0ec85fd6a7eff5f5b728412b4c98 (patch)
treea3779dc40e5e8bccba9bb269864ce24dc0b69b2c
parentb36927e35cd26d17199d748d3ece20f760630926 (diff)
downloadteliva-f8f1ec666afd0ec85fd6a7eff5f5b728412b4c98.tar.gz
stop letting apps change directory
I introduced this ability when I packaged up the lfs directory, but it
can enable apps to circumvent sandboxing rules in some situations. If
you can socially engineer someone to allow reading a file called
'passwd' in the current directory, you can now change directory to /etc
and read something sensitive.

Protecting against stuff like this gets subtle. It's easy for people to
create policies that aren't robust to changing directories. Requiring
absolute paths is also pretty unfriendly. So the whole notion of current
directory is perhaps implicit state that is confusing to manage. Fix it
in the context of a single session.
-rw-r--r--README.md1
-rw-r--r--src/lfs.c4
2 files changed, 3 insertions, 2 deletions
diff --git a/README.md b/README.md
index 1d962e3..64ec9e6 100644
--- a/README.md
+++ b/README.md
@@ -187,6 +187,7 @@ Teliva also introduces some incompatibilities to protect computer owners:
   - `os.execute`, `os.getenv`, `io.popen`
   - `io.lines` (not a security issue; just difficult to distinguish missing
     files from sandboxing issues)
+  - `lfs.chdir`, `lfs.currentdir`
 * Some functions are disabled because they don't seem to make sense in an
   ncurses environment. This includes the Lua notions of default files, which
   start out as stdin/stdout.
diff --git a/src/lfs.c b/src/lfs.c
index 29c4f55..536bf99 100644
--- a/src/lfs.c
+++ b/src/lfs.c
@@ -1156,8 +1156,8 @@ static void set_info(lua_State * L)
 
 static const struct luaL_Reg fslib[] = {
   { "attributes", file_info },
-  { "chdir", change_dir },
-  { "currentdir", get_dir },
+  /* no 'chdir' without sandboxing it */
+  /* no 'currentdir' without sandboxing it */
   { "dir", dir_iter_factory },
   { "link", make_link },
   { "lock", file_lock },