forked from pool/util-linux
- add-canonicalize_path_restricted.patch,
mount-sanitize-paths-from-non-root-users.patch, umount-sanitize-paths-from-non-root-users.patch: prevent leaking information about existence of folders (bnc#797002, CVE-2013-0157) OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=150
This commit is contained in:
parent
168e109a16
commit
b30522c80d
78
add-canonicalize_path_restricted.patch
Normal file
78
add-canonicalize_path_restricted.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From 33c5fd0c5a774458470c86f9d318d8c48a9c9ccb Mon Sep 17 00:00:00 2001
|
||||
From: Karel Zak <kzak@redhat.com>
|
||||
Date: Mon, 26 Nov 2012 16:24:28 +0100
|
||||
Subject: [PATCH] lib/canonicalize: add canonicalize_path_restricted() to
|
||||
canonicalize without suid permisssions
|
||||
|
||||
Signed-off-by: Karel Zak <kzak@redhat.com>
|
||||
Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
|
||||
---
|
||||
include/canonicalize.h | 1 +
|
||||
lib/canonicalize.c | 42 ++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 43 insertions(+)
|
||||
|
||||
Index: util-linux-2.21.2/include/canonicalize.h
|
||||
===================================================================
|
||||
--- util-linux-2.21.2.orig/include/canonicalize.h
|
||||
+++ util-linux-2.21.2/include/canonicalize.h
|
||||
@@ -4,6 +4,7 @@
|
||||
#include "c.h" /* for PATH_MAX */
|
||||
|
||||
extern char *canonicalize_path(const char *path);
|
||||
+extern char *canonicalize_path_restricted(const char *path);
|
||||
extern char *canonicalize_dm_name(const char *ptname);
|
||||
|
||||
#endif /* CANONICALIZE_H */
|
||||
Index: util-linux-2.21.2/lib/canonicalize.c
|
||||
===================================================================
|
||||
--- util-linux-2.21.2.orig/lib/canonicalize.c
|
||||
+++ util-linux-2.21.2/lib/canonicalize.c
|
||||
@@ -188,6 +188,48 @@ canonicalize_path(const char *path)
|
||||
return strdup(canonical);
|
||||
}
|
||||
|
||||
+char *
|
||||
+canonicalize_path_restricted(const char *path)
|
||||
+{
|
||||
+ char canonical[PATH_MAX+2];
|
||||
+ char *p = NULL;
|
||||
+ int errsv;
|
||||
+ uid_t euid;
|
||||
+ gid_t egid;
|
||||
+
|
||||
+ if (path == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ euid = geteuid();
|
||||
+ egid = getegid();
|
||||
+
|
||||
+ /* drop permissions */
|
||||
+ if (setegid(getgid()) < 0 || seteuid(getuid()) < 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ errsv = errno = 0;
|
||||
+
|
||||
+ if (myrealpath(path, canonical, PATH_MAX+1)) {
|
||||
+ p = strrchr(canonical, '/');
|
||||
+ if (p && strncmp(p, "/dm-", 4) == 0 && isdigit(*(p + 4)))
|
||||
+ p = canonicalize_dm_name(p+1);
|
||||
+ else
|
||||
+ p = NULL;
|
||||
+ if (!p)
|
||||
+ p = strdup(canonical);
|
||||
+ } else
|
||||
+ errsv = errno;
|
||||
+
|
||||
+ /* restore */
|
||||
+ if (setegid(egid) < 0 || seteuid(euid) < 0) {
|
||||
+ free(p);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ errno = errsv;
|
||||
+ return p;
|
||||
+}
|
||||
+
|
||||
|
||||
#ifdef TEST_PROGRAM_CANONICALIZE
|
||||
int main(int argc, char **argv)
|
102
mount-sanitize-paths-from-non-root-users.patch
Normal file
102
mount-sanitize-paths-from-non-root-users.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From 5ebbc3865d1e53ef42e5f121c41faab23dd59075 Mon Sep 17 00:00:00 2001
|
||||
From: Karel Zak <kzak@redhat.com>
|
||||
Date: Mon, 26 Nov 2012 14:30:22 +0100
|
||||
Subject: [PATCH] mount: sanitize paths from non-root users
|
||||
|
||||
$ mount /root/.ssh/../../dev/sda2
|
||||
mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
|
||||
|
||||
this is too promiscuous. It seems better to ignore on command line
|
||||
specified paths which are not resolve-able for non-root users.
|
||||
|
||||
Fixed version:
|
||||
|
||||
$ mount /root/.ssh/../../dev/sda2
|
||||
mount: /root/.ssh/../../dev/sda2: Permission denied
|
||||
|
||||
$ mount /dev/sda2
|
||||
mount: only root can mount UUID=17bc65ec-4125-4e7c-8a7d-e2795064c736 on /boot
|
||||
|
||||
Note that this bug has no relation to mount(2) permissions evaluation
|
||||
in suid mode. The way how non-root user specifies paths on command
|
||||
line is completely irrelevant for comparison with fstab entries.
|
||||
|
||||
Signed-off-by: Karel Zak <kzak@redhat.com>
|
||||
Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
|
||||
---
|
||||
sys-utils/Makefile.am | 1 +
|
||||
sys-utils/mount.c | 35 +++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 36 insertions(+)
|
||||
|
||||
Index: util-linux-2.21.2/sys-utils/Makefile.am
|
||||
===================================================================
|
||||
--- util-linux-2.21.2.orig/sys-utils/Makefile.am
|
||||
+++ util-linux-2.21.2/sys-utils/Makefile.am
|
||||
@@ -64,6 +64,7 @@ dist_man_MANS += mount.8 ../mount/fstab.
|
||||
mount_SOURCES = mount.c \
|
||||
$(top_srcdir)/lib/env.c \
|
||||
$(top_srcdir)/lib/xgetpass.c \
|
||||
+ $(top_srcdir)/lib/canonicalize.c \
|
||||
$(top_srcdir)/lib/strutils.c
|
||||
|
||||
mount_LDADD = $(ul_libmount_la) $(SELINUX_LIBS)
|
||||
Index: util-linux-2.21.2/sys-utils/mount.c
|
||||
===================================================================
|
||||
--- util-linux-2.21.2.orig/sys-utils/mount.c
|
||||
+++ util-linux-2.21.2/sys-utils/mount.c
|
||||
@@ -38,6 +38,7 @@
|
||||
#include "strutils.h"
|
||||
#include "exitcodes.h"
|
||||
#include "xalloc.h"
|
||||
+#include "canonicalize.h"
|
||||
|
||||
/*** TODO: DOCS:
|
||||
*
|
||||
@@ -572,6 +573,37 @@ static struct libmnt_table *append_fstab
|
||||
return fstab;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Check source and target paths -- non-root user should not be able to
|
||||
+ * resolve paths which are unreadable for him.
|
||||
+ */
|
||||
+static void sanitize_paths(struct libmnt_context *cxt)
|
||||
+{
|
||||
+ const char *p;
|
||||
+ struct libmnt_fs *fs = mnt_context_get_fs(cxt);
|
||||
+
|
||||
+ if (!fs)
|
||||
+ return;
|
||||
+
|
||||
+ p = mnt_fs_get_target(fs);
|
||||
+ if (p) {
|
||||
+ char *np = canonicalize_path_restricted(p);
|
||||
+ if (!np)
|
||||
+ err(MOUNT_EX_USAGE, "%s", p);
|
||||
+ mnt_fs_set_target(fs, np);
|
||||
+ free(np);
|
||||
+ }
|
||||
+
|
||||
+ p = mnt_fs_get_srcpath(fs);
|
||||
+ if (p) {
|
||||
+ char *np = canonicalize_path_restricted(p);
|
||||
+ if (!np)
|
||||
+ err(MOUNT_EX_USAGE, "%s", p);
|
||||
+ mnt_fs_set_source(fs, np);
|
||||
+ free(np);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static void __attribute__((__noreturn__)) usage(FILE *out)
|
||||
{
|
||||
fputs(USAGE_HEADER, out);
|
||||
@@ -880,6 +912,9 @@ int main(int argc, char **argv)
|
||||
} else
|
||||
usage(stderr);
|
||||
|
||||
+ if (mnt_context_is_restricted(cxt))
|
||||
+ sanitize_paths(cxt);
|
||||
+
|
||||
if (oper) {
|
||||
/* MS_PROPAGATION operations, let's set the mount flags */
|
||||
mnt_context_set_mflags(cxt, oper);
|
84
umount-sanitize-paths-from-non-root-users.patch
Normal file
84
umount-sanitize-paths-from-non-root-users.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From cc8cc8f32c863f3ae6a8a88e97b47bcd6a21825f Mon Sep 17 00:00:00 2001
|
||||
From: Karel Zak <kzak@redhat.com>
|
||||
Date: Mon, 26 Nov 2012 16:25:46 +0100
|
||||
Subject: [PATCH] umount: sanitize paths from non-root users
|
||||
|
||||
Signed-off-by: Karel Zak <kzak@redhat.com>
|
||||
Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
|
||||
---
|
||||
sys-utils/Makefile.am | 4 +++-
|
||||
sys-utils/umount.c | 32 ++++++++++++++++++++++++++++++--
|
||||
2 files changed, 33 insertions(+), 3 deletions(-)
|
||||
|
||||
Index: util-linux-2.21.2/sys-utils/Makefile.am
|
||||
===================================================================
|
||||
--- util-linux-2.21.2.orig/sys-utils/Makefile.am
|
||||
+++ util-linux-2.21.2/sys-utils/Makefile.am
|
||||
@@ -71,7 +71,9 @@ mount_LDADD = $(ul_libmount_la) $(SELINU
|
||||
mount_CFLAGS = $(SUID_CFLAGS) $(AM_CFLAGS) -I$(ul_libmount_incdir)
|
||||
mount_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS)
|
||||
|
||||
-umount_SOURCES = umount.c $(top_srcdir)/lib/env.c
|
||||
+umount_SOURCES = umount.c \
|
||||
+ $(top_srcdir)/lib/env.c \
|
||||
+ $(top_srcdir)/lib/canonicalize.c
|
||||
umount_LDADD = $(ul_libmount_la)
|
||||
umount_CFLAGS = $(AM_CFLAGS) $(SUID_CFLAGS) -I$(ul_libmount_incdir)
|
||||
umount_LDFLAGS = $(SUID_LDFLAGS) $(AM_LDFLAGS)
|
||||
Index: util-linux-2.21.2/sys-utils/umount.c
|
||||
===================================================================
|
||||
--- util-linux-2.21.2.orig/sys-utils/umount.c
|
||||
+++ util-linux-2.21.2/sys-utils/umount.c
|
||||
@@ -34,6 +34,7 @@
|
||||
#include "env.h"
|
||||
#include "optutils.h"
|
||||
#include "exitcodes.h"
|
||||
+#include "canonicalize.h"
|
||||
|
||||
static int table_parser_errcb(struct libmnt_table *tb __attribute__((__unused__)),
|
||||
const char *filename, int line)
|
||||
@@ -277,6 +278,24 @@ static int umount_one(struct libmnt_cont
|
||||
return rc;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Check path -- non-root user should not be able to resolve path which is
|
||||
+ * unreadable for him.
|
||||
+ */
|
||||
+static char *sanitize_path(const char *path)
|
||||
+{
|
||||
+ char *p;
|
||||
+
|
||||
+ if (!path)
|
||||
+ return NULL;
|
||||
+
|
||||
+ p = canonicalize_path_restricted(path);
|
||||
+ if (!p)
|
||||
+ err(MOUNT_EX_USAGE, "%s", path);
|
||||
+
|
||||
+ return p;
|
||||
+}
|
||||
+
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int c, rc = 0, all = 0;
|
||||
@@ -388,8 +407,17 @@ int main(int argc, char **argv)
|
||||
} else if (argc < 1) {
|
||||
usage(stderr);
|
||||
|
||||
- } else while (argc--)
|
||||
- rc += umount_one(cxt, *argv++);
|
||||
+ } else while (argc--) {
|
||||
+ char *path = *argv++;
|
||||
+
|
||||
+ if (mnt_context_is_restricted(cxt))
|
||||
+ path = sanitize_path(path);
|
||||
+
|
||||
+ rc += umount_one(cxt, path);
|
||||
+
|
||||
+ if (mnt_context_is_restricted(cxt))
|
||||
+ free(path);
|
||||
+ }
|
||||
|
||||
mnt_free_context(cxt);
|
||||
return rc;
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 7 13:26:15 UTC 2013 - puzel@suse.com
|
||||
|
||||
- add-canonicalize_path_restricted.patch,
|
||||
mount-sanitize-paths-from-non-root-users.patch,
|
||||
umount-sanitize-paths-from-non-root-users.patch:
|
||||
prevent leaking information about existence of folders
|
||||
(bnc#797002, CVE-2013-0157)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Dec 28 04:30:58 UTC 2012 - crrodriguez@opensuse.org
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package util-linux
|
||||
#
|
||||
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -106,6 +106,13 @@ Patch13: login-close-tty-before-vhangup.patch
|
||||
|
||||
# hack for boot.localfs
|
||||
Patch20: util-linux-HACK-boot.localfs.diff
|
||||
|
||||
Patch21: 0001-include-bitops.h-Use-the-operating-system-byteswappi.patch
|
||||
|
||||
#bnc#797002
|
||||
Patch22: add-canonicalize_path_restricted.patch
|
||||
Patch23: mount-sanitize-paths-from-non-root-users.patch
|
||||
Patch24: umount-sanitize-paths-from-non-root-users.patch
|
||||
#####
|
||||
|
||||
##
|
||||
@ -121,8 +128,6 @@ Patch56: klogconsole.diff
|
||||
##
|
||||
Patch60: time-1.7.dif
|
||||
|
||||
Patch61: 0001-include-bitops.h-Use-the-operating-system-byteswappi.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: %insserv_prereq %fillup_prereq /bin/sed
|
||||
#
|
||||
@ -223,7 +228,10 @@ Files to develop applications using the libmount library.
|
||||
%patch13 -p1
|
||||
#
|
||||
%patch20 -p1
|
||||
%patch61 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
#
|
||||
cd adjtimex-*
|
||||
# adjtimex patches belongs here
|
||||
|
Loading…
Reference in New Issue
Block a user