Qualys yakavhurwa nhau dzandinozivisa kusakwana kuviri (CVE-2021-44731 uye CVE-2021-44730) mune snap-confine utility, inotumirwa nemudzi weSUID mureza uye inodanwa neiyo snapd process kuti igadzire nharaunda inogoneka yezvikumbiro zvakagoverwa mumapakeji ekukurumidza.
Muchinyorwa chebhurogi zvakataurwa izvozvo kusasimba kunobvumira mushandisi wemuno asina njodzi kuti aite kodhi kuuraya semudzi muhurongwa.
Kusagadzikana kwekutanga kunobvumira yemuviri link manipulation kurwisa, asi zvinoda kudzima system hardlinks dziviriro (nekuseta sysctl fs.protected_hardlinks ku0).
Dambudziko imhaka yekusasikwa kwechokwadi kwenzvimbo yezvinoitwa ye snap-update-ns uye snap-kurasa-ns zvishandiso inomhanya semudzi. Nzira yekuenda kumafaira aya yakaverengerwa mu sc_open_snapd_tool() basa zvichibva munzira yaro kubva /proc/self/exe, zvichikubvumidza kuti ugadzire chinongedzo chakaoma chekuvharira mudhairekitori rako uye isa sarudzo dzako ku snap-update-ns uye snap. -discard-ns mune ino dhairekitori. Kana yakatangwa kubva kune yakaoma link, snap-confine semudzi ichaita anorwisa-anotsiva snap-update-ns uye snap-kurasa-ns mafaera kubva kune yazvino dhairekitori.
Kubudirira kushandiswa kwekusagadzikana uku kunobvumira chero asina-yakasarudzika mushandisi kuwana midzi ropafadzo pane ari munjodzi. Qualys kuchengetedza vaongorori vakakwanisa kuzvimiririra kuonesa kusagadzikana, kuvandudza hunyanzvi, uye kuwana rombo rakazara midzi pakumisikidzwa kweUbuntu.
Chikwata chevatsvaguri cheQualys chikangosimbisa kusazvibata, takaita kuzivisa nezvekusagadzikana uye takabatana nemutengesi uye kugovera kwakavhurika sosi kuti tizivise kusagadzikana kuchangobva kuwanikwa.
Kusagadzikana kwechipiri kunokonzerwa nemamiriro erudzi uye inogona kushandiswa mune yakasarudzika Ubuntu desktop kumisikidza. Kuti iko kushandiswa kushande zvinobudirira paUbuntu Server, unofanirwa kusarudza imwe yemapakeji kubva ku "Featured Server Snaps" chikamu panguva yekuisa.
rudzi mamiriro inoratidza mune setup_private_mount() basa yakadanwa panguva yekugadzirira mount point namespace yepapo ipapo. Iri basa rinogadzira dhairekitori renguva pfupi "/tmp/snap.$SNAP_NAME/tmp" kana rinoshandisa riripo kubatanidza nekuisa madhairekitori eiyo snap package kwairi.
Sezvo zita redhairekitori renguva pfupi richifanotaurwa, munhu anorwisa anogona kushandura zvirimo kuita chinongedzo chekufananidzira mushure mekuona muridzi, asi asati adaidza gomo system. Semuyenzaniso, unogona kugadzira symlink "/tmp/snap.lxd/tmp" mu/tmp/snap.lxd dhairekitori inonongedza kudhairekitori risingawirirani uye iyo mount() call ichatevera symlink uye kukwidza dhairekitori munzvimbo. yemazita.
Saizvozvo, iwe unogona kukwidza zvirimo mukati /var/lib uye, kukwirisa /var/lib/snapd/mount/snap.snap-store.user-fstab, ronga kukwidza yako /etc dhairekitori mupakeji namespace snap kurodha raibhurari yako. kubva kumidzi yekuwana nekutsiva /etc/ld.so.preload.
Zvinoonekwa kuti kugadzira kushandiswa kwakazova basa risiri diki, sezvo snap-confine utility yakanyorwa uchishandisa yakachengeteka programming matekiniki (snapd yakanyorwa muGo, asi C inoshandiswa snap-confine), ine dziviriro yakavakirwa paAppArmor profiles, mafirita system inofona zvichibva pane seccomp mechanism uye inoshandisa gomo namespace. yekuzviparadzanisa nevamwe.
Zvisinei, vatsvakurudzi vakakwanisa kugadzirira kushandiswa kwebasa kuti uwane midzi yekuwana pane system. Iyo yekushandisa kodhi ichaburitswa mavhiki mashoma mushure mekunge vashandisi vaisa iyo yakapihwa zvigadziriso.
Pakupedzisira, zvakakodzera kutaura izvozvoMatambudziko akagadziriswa mune snapd package update yeUbuntu shanduro 21.10, 20.04 uye 18.04.
Pamusoro pezvimwe zvinogoverwa zvinoshandisa Snapd, Snapd 2.54.3 yakaburitswa, iyo, mukuwedzera kumatambudziko ari pamusoro, inogadzirisa imwe njodzi (CVE-2021-4120), iyo inobvumira, kana uchiisa dzakagadzirirwa plugin mapakeji, pfuura zvinopokana mitemo yeAppArmor uye pfuura zvirambidzo zvekupinda zvakagadzirirwa pasuru.
Kana uri kuda kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.