1198304 - [mig] mig-agent file module doesn't follow symlinked directories

Status: RESOLVED FIXED

(Enterprise Information Security Graveyard :: MIG, task)

Description

[Guillaume Destuynder [:kang] [this account is no longer active]]

Ex:
mig file -path /etc/ssl/certs -name localhost.crt -md5 2b547043e4c84892cbebcf47a3e9d2b9

does not return a match even thus /etc/ssl/certs/localhost.crt matches the md5.
that's because /etc/ssl/certs directory is a symlink to /etc/pki/tls/certs (which is not in the real directory scope of /etc/ssl/certs/*)

This causes confusion for users since paths would have to be manually checked. Note that doing symlink resolution may also cause infinite loops (for ex /etc/ssl/certs could be linked to itself, or to a directory linking back again to /etc/ssl/certs!)

Here's a more thorough real-life example for reproducibility:

--- snip ---
pbx1 /home/gdestuynder ☯ mig-agent -m file -d <<< '{"class":"parameters","parameters":{"searches":{"s1":{"paths":["/etc/ssl/certs"],"md5":["2b547043e4c84892cbebcf47a3e9d2b9"]}}}}';echo
[info] using builtin conf
{"foundanything":false,"success":true,"elements":{"s1":[{"file":"","search":{"paths":["/etc/ssl/certs"],"md5":["2B547043E4C84892CBEBCF47A3E9D2B9"],"options":{"maxdepth":0,"matchall":false,"matchlimit":0}},"fileinfo":{"size":0,"mode":"","lastmodified":""}}]},"statistics":{"filescount":1,"openfailed":0,"totalhits":0,"exectime":"3.754553ms"},"errors":["checkHash() -\u003e getHash() -\u003e read /etc/ssl/certs: is a directory"]}
pbx1 /home/gdestuynder ☯ mig-agent -m file -d <<< '{"class":"parameters","parameters":{"searches":{"s1":{"paths":["/etc/pki/tls/certs"],"md5":["2b547043e4c84892cbebcf47a3e9d2b9"]}}}}';echo
[info] using builtin conf
{"foundanything":true,"success":true,"elements":{"s1":[{"file":"/etc/pki/tls/certs/localhost.crt","search":{"paths":["/etc/pki/tls/certs"],"md5":["2B547043E4C84892CBEBCF47A3E9D2B9"],"options":{"maxdepth":0,"matchall":false,"matchlimit":0}},"fileinfo":{"size":1241,"mode":"-rw-------","lastmodified":"2011-08-13 17:10:15.753058153 +0000 UTC"}}]},"statistics":{"filescount":9,"openfailed":0,"totalhits":1,"exectime":"13.336304ms"},"errors":null}
pbx1 /home/gdestuynder ☯ ls -l /etc/ssl/certs
lrwxrwxrwx 1 root root 16 Jan 28  2015 /etc/ssl/certs -> ../pki/tls/certs
pbx1 /home/gdestuynder ☯ md5sum /etc/pki/tls/certs/localhost.crt 2b547043e4c84892cbebcf47a3e9d2b9  /etc/pki/tls/certs/localhost.crt
pbx1 /home/gdestuynder ☯ md5sum /etc/ssl/certs/localhost.crt 
2b547043e4c84892cbebcf47a3e9d2b9  /etc/ssl/certs/localhost.crt
--- snap ---

Comment 1

[Julien Vehent]

MIG's `file` module will follow symlinks on files only, not directories, using Go's filepath.EvalSymlinks() function (which has a hardcoded limit of 255 levels). We could make it follow symlinks on directories, but it would be difficult to constrain a given search to a root path, as we do today. Any extra limitation we impose, such as limited the number of links that can be followed, or limiting the depth search of a symlinked directory, are likely to cause confusion.

I would prefer to not follow symlink of directories at all and add a soft error in the results of the search that indicates a directory symlink was encountered and not followed. It think it would help reduce confusion and keep the behavior consistent. Note that `find` has a similar behavior and will not follow symlinks by default (-L is required).

That said, if we decide to follow directory symlinks, it should be implemented as an additional case of the symlink handling in the pathWalk() function, right after https://github.com/mozilla/mig/blob/f308713f38a4979733818889e12dd5178a054f59/src/mig/modules/file/file.go#L885-L887

Comment 2

[Julien Vehent]

Migrated to github issues: https://github.com/mozilla/mig/issues