Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
pcp
0012-src-pmpost-pmpost.c-guard-against-possible...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0012-src-pmpost-pmpost.c-guard-against-possible-symlink-a.patch of Package pcp
From 58ac1989fe64377b66af4090b10c807656237430 Mon Sep 17 00:00:00 2001 From: Ken McDonell <kenj@kenj.id.au> Date: Tue, 13 Aug 2024 11:45:20 +1000 Subject: [PATCH 12/19] src/pmpost/pmpost.c: guard against possible symlink attack If $PCP_LOG_DIR/NOTICES is a symlink don't trust it. Note that $PCP_LOG_DIR is owned pcp:pcp, so this would need a prior root penetration or compromise of the pcp account which has a /usr/sbin/nologin shell and no password by default. Addresses SUSE Issue G. Extend qa/640 to explore this possible attack vector. (cherry picked from commit 22505f9a43c212217d4d53200dcf2f0e94febc8f) [ddiss: rebase qa/1370 without 39d434c0a ("libpcp et. al.: derived metric saga continues")] Acked-by: David Disseldorp <ddiss@suse.de> --- qa/640 | 51 ++++++++++++++++++++++++++++++++++++++++++--- qa/640.out | 3 +++ src/pmpost/pmpost.c | 8 +++++-- 3 files changed, 57 insertions(+), 5 deletions(-) diff --git a/qa/640 b/qa/640 index c36018e0f..44088d75f 100755 --- a/qa/640 +++ b/qa/640 @@ -6,6 +6,10 @@ # years; so we now simply check the right permissions are in place # and move right along... # +# Aug 2024 update +# SuSE Issue G identifies another possible exploit, so try that +# as well. +# # Copyright (c) 1995-2002 Silicon Graphics, Inc. All Rights Reserved. # @@ -17,13 +21,54 @@ echo "QA output created by $seq" . ./common.filter . ./common.check -status=0 # success is the default! -trap "$sudo rm -f $tmp.*; exit \$status" 0 1 2 3 15 +rm -f $seq.full +ls -li $PCP_LOG_DIR/NOTICES $tmp/badness >>$seq.full 2>&1 + +_cleanup() +{ + if [ -f $PCP_LOG_DIR/NOTICES.$seq ] + then + $sudo rm -f $PCP_LOG_DIR/NOTICES + $sudo mv $PCP_LOG_DIR/NOTICES.$seq $PCP_LOG_DIR/NOTICES + fi + ls -li $PCP_LOG_DIR/NOTICES $tmp/badness >>$seq.full 2>&1 + $sudo rm -rf $tmp $tmp.* +} + +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_filter() +{ + sed \ + -e "s@$PCP_LOG_DIR@PCP_LOG_DIR@g" \ + -e '/^pmpost:/s/\[.*]/[DATE]/' \ + # end +} # real QA test starts here pmpost=$PCP_BINADM_DIR/pmpost -echo "Using pmpost binary: $pmpost" > $seq.full +echo "Using pmpost binary: $pmpost" >>$seq.full test -u "$pmpost" && echo "FAIL: pmpost has setuid bit set" test -g "$pmpost" && echo "FAIL: pmpost has setgid bit set" + +$sudo mkdir $tmp || exit +$sudo chmod 700 $tmp || exit +$sudo -u $PCP_USER mv $PCP_LOG_DIR/NOTICES $PCP_LOG_DIR/NOTICES.$seq + +$sudo -u $PCP_USER ln -s $tmp/badness $PCP_LOG_DIR/NOTICES >>$seq.full +$pmpost ordinary user 2>&1 | _filter +$sudo ls -li $PCP_LOG_DIR/NOTICES $tmp/badness >>$seq.full 2>&1 +$sudo -u pcp $pmpost pcp user 2>&1 | _filter +$sudo ls -li $PCP_LOG_DIR/NOTICES $tmp/badness >>$seq.full 2>&1 +$sudo $pmpost root user 2>&1 | _filter +$sudo ls -li $PCP_LOG_DIR/NOTICES $tmp/badness >>$seq.full 2>&1 +if $sudo test -f $tmp/badness +then + $sudo cat $tmp/badness +fi + echo "Test complete" + +status=0 exit diff --git a/qa/640.out b/qa/640.out index f8a70b72d..3de815cd2 100644 --- a/qa/640.out +++ b/qa/640.out @@ -1,2 +1,5 @@ QA output created by 640 +pmpost: unposted message: [DATE] ordinary user +pmpost: unposted message: [DATE] pcp user +pmpost: unposted message: [DATE] root user Test complete diff --git a/src/pmpost/pmpost.c b/src/pmpost/pmpost.c index 4036baa41..398c104e5 100644 --- a/src/pmpost/pmpost.c +++ b/src/pmpost/pmpost.c @@ -144,8 +144,12 @@ main(int argc, char **argv) goto oops; } - if ((fd = open(notices, O_WRONLY|O_APPEND, 0)) < 0) { - if ((fd = open(notices, O_WRONLY|O_CREAT|O_APPEND, 0664)) < 0) { + if ((fd = open(notices, O_WRONLY|O_APPEND|O_NOFOLLOW, 0)) < 0) { + if (oserror() == ELOOP) { + /* last component is symlink => attack? ... bail! */ + goto oops; + } + if ((fd = open(notices, O_WRONLY|O_CREAT|O_APPEND|O_NOFOLLOW, 0664)) < 0) { fprintf(stderr, "pmpost: cannot open or create file \"%s\": %s\n", notices, osstrerror()); goto oops; -- 2.43.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor