Kutholwe ubungozi obubili ku-Snap futhi kwavunyelwa ukusebenzisa ikhodi njengempande

Darkcrizt

Imizuzu ye-4

Kwambulwa ama-Qualy izindaba engizikhombayo ubuthakathaka obubili (CVE-2021-44731 kanye ne-CVE-2021-44730) kuhlelo lokusebenza lwe-snap-confine, ithunyelwe nefulegi le-SUID lempande futhi yabizwa inqubo ye-snapd ukuze kukhiqizwe indawo esebenzisekayo yezinhlelo zokusebenza ezisatshalaliswa kumaphakheji asheshayo.

Encwadini ye-blog kushiwo lokho ubungozi buvumela umsebenzisi wasendaweni ongavikelekile ukuthi athole ukusebenzisa ikhodi njengempande ohlelweni.

Ukuba sengozini kokuqala kuvumela ukuhlasela kokukhohlisa kwesixhumanisi somzimba, kodwa idinga ukukhubaza ukuvikelwa kwe-hardlinks yesistimu (ngokusetha i-sysctl fs.protected_hardlinks ku-0).

Inkinga kungenxa yokuqinisekiswa okungalungile kwendawo yezinto ezisebenzisekayo kwezinsiza ze-snap-update kanye ne-snap-discard-ns ezigijima njengempande. Indlela eya kulawa mafayela ibalwe kumsebenzi we-sc_open_snapd_tool() ngokusekelwe endleleni yawo esuka ku-/proc/self/exe, okukuvumela ukuthi udale isixhumanisi esiqinile ukuze uvale inqolobane yakho bese ubeka izinketho zakho ku-snap-update-ns bese uthwebula. -lahla-ns kulolu hlu lwemibhalo. Uma yethulwa kusixhumanisi esiqinile, i-snap-confine njenge-root izosebenzisa i-snap-update-ns efakwe umhlaseli esikhundleni kanye namafayela e-snap-discard-ns ohlwini lwemibhalo lwamanje.

Ukuxhashazwa ngempumelelo kwalokhu kuba sengcupheni kuvumela noma yimuphi umsebenzisi ongenamalungelo ukuthi athole amalungelo ezimpande kubasingathi abasengozini. Abacwaningi bezokuphepha be-Qualys bakwazile ukuqinisekisa ngokuzimela ukuba sengozini, bathuthukise ukuxhaphaza, futhi bathole amalungelo ezimpande agcwele ekufakweni okuzenzakalelayo kwe-Ubuntu.

Ngokushesha ngemva kokuba ithimba labacwaningi be-Qualys liqinisekise ubungozi, sazibandakanya ekudaluleni ubungozi obunesibopho futhi sahlanganiswa nomthengisi nokusabalalisa komthombo ovulekile ukuze simemezele lobu bungozi obusanda kutholwa.

Ukuba sengozini kwesibili kubangelwa isimo somjaho futhi ingasetshenziswa ekucushweni kwedeskithophu ye-Ubuntu. Ukuze ukuzuza kusebenze ngempumelelo ku-Ubuntu Server, kufanele ukhethe eyodwa yamaphakheji esigabeni esithi "Featured Server Snaps" ngesikhathi sokufakwa.

isimo somjaho ibonisa kumsebenzi wokusetha_private_mount(). kubizwe ngesikhathi sokulungiswa kwendawo yegama lephoyinti lokukhweza lephakheji esheshayo. Lo msebenzi udala uhla lwemibhalo lwesikhashana oluthi "/tmp/snap.$SNAP_NAME/tmp" noma lisebenzisa olukhona ukuze luxhumanise futhi lukhweze izikhombisi zephakheji ye-snap kulo.

Njengoba igama lohla lwemibhalo lwesikhashana libikezelwa, umhlaseli angashintsha elikuqukethe libe isixhumanisi esingokomfanekiso ngemva kokuqinisekisa umnikazi, kodwa ngaphambi kokubiza isistimu yokukhweza. Isibonelo, ungakha i-symlink "/tmp/snap.lxd/tmp" kuhla lwemibhalo /tmp/snap.lxd olukhomba uhla lwemibhalo olungenasizathu futhi i-mount() ikholi izolandela i-symlink futhi ikhweze uhla lwemibhalo esikhaleni. yamagama.

Ngokufanayo, ungakwazi ukukhweza okuqukethwe kwayo ku-/var/lib futhi, ukweqa /var/lib/snapd/mount/snap.snap-store.user-fstab, uhlele ukukhweza umkhombandlela wakho / njll ku-snap yendawo yegama lephakheji ukuze ulayishe umtapo wakho wezincwadi. kusuka ekufinyeleleni kwezimpande ngokufaka esikhundleni /etc/ld.so.preload.

Kuyabonakala ukuthi ukudala ukuxhaphaza kuvele kwaba umsebenzi ongasho lutho, njengoba insiza ye-snap-confine ibhalwe kusetshenziswa amasu okuhlela avikelekile (i-snapd ibhalwe kokuthi Go, kodwa u-C usetshenziselwa ukuvala i-snap-confine), inokuvikelwa okusekelwe kumaphrofayela e-AppArmor, izingcingo zesistimu yokuhlunga ngokusekelwe kumshini we-seccomp futhi isebenzisa indawo yegama yokukhweza. ukuze uzihlukanise.

Nokho, abacwaningi bakwazi ukulungiselela ukuxhashazwa okusebenzayo ukuze uthole ukufinyelela kwezimpande ohlelweni. Ikhodi yokuxhaphaza izokhishwa emasontweni ambalwa ngemva kokuba abasebenzisi bafake izibuyekezo ezinikeziwe.

Ekugcineni, kufanelekile ukusho lokhoIzinkinga zalungiswa kusibuyekezo sephakheji ye-snapd ku-Ubuntu izinguqulo 21.10, 20.04 kanye ne-18.04.

Ngaphezu kokunye ukusatshalaliswa okusebenzisa i-Snap, i-Snapd 2.54.3 ikhishwe, okuthi, ngaphezu kwezinkinga ezingenhla, ilungise okunye ubungozi (CVE-2021-4120), okuvumela, lapho ufaka amaphakheji e-plugin aklanywe ngokukhethekile, khipha imithetho ye-AppArmor engafanele futhi yeqe imikhawulo yokufinyelela esethelwe iphakheji.

Uma unjalo unentshisekelo yokwazi okwengeziwe ngayo, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.