pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations

Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
being placed in user controlled directories, causing the PAM module to
block indefinitely during `openat()`.

Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
refer to a directory.

With this the check whether the final path element is a directory
becomes unnecessary, drop it.

1 files changed, 1 insertions, 17 deletions

diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index 2528cff8..f72d6718 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
 	int dfd = AT_FDCWD;
 	int dfd_next;
 	int save_errno;
-	int flags = O_RDONLY;
+	int flags = O_RDONLY | O_DIRECTORY;
 	int rv = -1;
 	struct stat st;
 
@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
 		rv = openat(dfd, dir, flags);
 	}
 
-	if (rv != -1) {
-		if (fstat(rv, &st) != 0) {
-			save_errno = errno;
-			close(rv);
-			rv = -1;
-			errno = save_errno;
-			goto error;
-		}
-		if (!S_ISDIR(st.st_mode)) {
-			close(rv);
-			errno = ENOTDIR;
-			rv = -1;
-			goto error;
-		}
-	}
-
 	if (flags & O_NOFOLLOW) {
 		/* we are inside user-owned dir - protect */
 		if (protect_mount(rv, p, idata) == -1) {