From cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Mon, 26 Nov 2012 16:25:46 +0100 Subject: [PATCH] umount: sanitize paths from non-root users Signed-off-by: Karel Zak Signed-off-by: Petr Uzel --- sys-utils/Makefile.am | 4 +++- sys-utils/umount.c | 32 ++++++++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 3 deletions(-) Index: util-linux-2.21.2/sys-utils/Makefile.am =================================================================== --- util-linux-2.21.2.orig/sys-utils/Makefile.am +++ util-linux-2.21.2/sys-utils/Makefile.am @@ -71,7 +71,9 @@ mount_LDADD = $(ul_libmount_la) $(SELINU mount_CFLAGS = $(SUID_CFLAGS) $(AM_CFLAGS) -I$(ul_libmount_incdir) mount_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS) -umount_SOURCES = umount.c $(top_srcdir)/lib/env.c +umount_SOURCES = umount.c \ + $(top_srcdir)/lib/env.c \ + $(top_srcdir)/lib/canonicalize.c umount_LDADD = $(ul_libmount_la) umount_CFLAGS = $(AM_CFLAGS) $(SUID_CFLAGS) -I$(ul_libmount_incdir) umount_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS) Index: util-linux-2.21.2/sys-utils/umount.c =================================================================== --- util-linux-2.21.2.orig/sys-utils/umount.c +++ util-linux-2.21.2/sys-utils/umount.c @@ -34,6 +34,7 @@ #include "env.h" #include "optutils.h" #include "exitcodes.h" +#include "canonicalize.h" static int table_parser_errcb(struct libmnt_table *tb __attribute__((__unused__)), const char *filename, int line) @@ -277,6 +278,24 @@ static int umount_one(struct libmnt_cont return rc; } +/* + * Check path -- non-root user should not be able to resolve path which is + * unreadable for him. + */ +static char *sanitize_path(const char *path) +{ + char *p; + + if (!path) + return NULL; + + p = canonicalize_path_restricted(path); + if (!p) + err(MOUNT_EX_USAGE, "%s", path); + + return p; +} + int main(int argc, char **argv) { int c, rc = 0, all = 0; @@ -388,8 +407,17 @@ int main(int argc, char **argv) } else if (argc < 1) { usage(stderr); - } else while (argc--) - rc += umount_one(cxt, *argv++); + } else while (argc--) { + char *path = *argv++; + + if (mnt_context_is_restricted(cxt)) + path = sanitize_path(path); + + rc += umount_one(cxt, path); + + if (mnt_context_is_restricted(cxt)) + free(path); + } mnt_free_context(cxt); return rc;