From ebad72b771d17033f03c00bcdc5bb24db5116862 Mon Sep 17 00:00:00 2001 Message-Id: From: "Daniel P. Berrange" Date: Wed, 30 Oct 2013 17:01:42 +0000 Subject: [PATCH] Only allow 'stderr' log output when running setuid CVE-2013-4400 We must not allow file/syslog/journald log outputs when running setuid since they can be abused to do bad things. In particular the 'file' output can be used to overwrite files. Signed-off-by: Daniel P. Berrange (cherry picked from commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994) Signed-off-by: Jiri Denemark --- src/util/virlog.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/util/virlog.c b/src/util/virlog.c index 6f791ad..694da89 100644 --- a/src/util/virlog.c +++ b/src/util/virlog.c @@ -1324,6 +1324,9 @@ int virLogPriorityFromSyslog(int priority ATTRIBUTE_UNUSED) * Multiple output can be defined in a single @output, they just need to be * separated by spaces. * + * If running in setuid mode, then only the 'stderr' output will + * be allowed + * * Returns the number of output parsed and installed or -1 in case of error */ int @@ -1335,6 +1338,7 @@ virLogParseOutputs(const char *outputs) virLogPriority prio; int ret = -1; int count = 0; + bool isSUID = virIsSUID(); if (cur == NULL) return -1; @@ -1354,6 +1358,8 @@ virLogParseOutputs(const char *outputs) if (virLogAddOutputToStderr(prio) == 0) count++; } else if (STREQLEN(cur, "syslog", 6)) { + if (isSUID) + goto cleanup; cur += 6; if (*cur != ':') goto cleanup; @@ -1371,6 +1377,8 @@ virLogParseOutputs(const char *outputs) VIR_FREE(name); #endif /* HAVE_SYSLOG_H */ } else if (STREQLEN(cur, "file", 4)) { + if (isSUID) + goto cleanup; cur += 4; if (*cur != ':') goto cleanup; @@ -1391,6 +1399,8 @@ virLogParseOutputs(const char *outputs) VIR_FREE(name); VIR_FREE(abspath); } else if (STREQLEN(cur, "journald", 8)) { + if (isSUID) + goto cleanup; cur += 8; #if USE_JOURNALD if (virLogAddOutputToJournald(prio) == 0) -- 1.8.4.2