Blame SOURCES/autofs-5.1.0-add-config-option-to-force-use-of-program-map-stdvars.patch

4d476f
autofs-5.1.0 - add config option to force use of program map stdvars
4d476f
4d476f
From: Ian Kent <ikent@redhat.com>
4d476f
4d476f
Enabling the extended environment (including $HOME, for example) for
4d476f
program maps opens automount(8) to a privilege escalation.
4d476f
4d476f
Rather than just removing the entended environment a configuration
4d476f
option is added to disable it by default so that those who wish to
4d476f
use it can do so if they wish.
4d476f
---
4d476f
 CHANGELOG                      |    1 +
4d476f
 include/defaults.h             |    2 ++
4d476f
 lib/defaults.c                 |   12 ++++++++++++
4d476f
 man/autofs.5                   |    5 +++++
4d476f
 man/autofs.conf.5.in           |    9 +++++++++
4d476f
 modules/lookup_program.c       |   14 +++++++++++++-
4d476f
 redhat/autofs.conf.default.in  |   11 +++++++++++
4d476f
 samples/autofs.conf.default.in |   11 +++++++++++
4d476f
 8 files changed, 64 insertions(+), 1 deletion(-)
4d476f
4d476f
--- autofs-5.0.7.orig/CHANGELOG
4d476f
+++ autofs-5.0.7/CHANGELOG
4d476f
@@ -163,6 +163,7 @@
4d476f
 - ensure negative cache isn't updated on remount.
4d476f
 - dont add wildcard to negative cache.
4d476f
 - add a prefix to program map stdvars.
4d476f
+- add config option to force use of program map stdvars.
4d476f
 
4d476f
 25/07/2012 autofs-5.0.7
4d476f
 =======================
4d476f
--- autofs-5.0.7.orig/include/defaults.h
4d476f
+++ autofs-5.0.7/include/defaults.h
4d476f
@@ -30,6 +30,7 @@
4d476f
 #define DEFAULT_UMOUNT_WAIT		"12"
4d476f
 #define DEFAULT_BROWSE_MODE		"1"
4d476f
 #define DEFAULT_LOGGING			"none"
4d476f
+#define DEFAULT_FORCE_STD_PROG_MAP_ENV	"0"
4d476f
 
4d476f
 #define DEFAULT_LDAP_TIMEOUT		"-1"
4d476f
 #define DEFAULT_LDAP_NETWORK_TIMEOUT	"8"
4d476f
@@ -151,6 +152,7 @@ unsigned int defaults_get_timeout(void);
4d476f
 unsigned int defaults_get_negative_timeout(void);
4d476f
 unsigned int defaults_get_browse_mode(void);
4d476f
 unsigned int defaults_get_logging(void);
4d476f
+unsigned int defaults_force_std_prog_map_env(void);
4d476f
 const char *defaults_get_ldap_server(void);
4d476f
 unsigned int defaults_get_ldap_timeout(void);
4d476f
 unsigned int defaults_get_ldap_network_timeout(void);
4d476f
--- autofs-5.0.7.orig/lib/defaults.c
4d476f
+++ autofs-5.0.7/lib/defaults.c
4d476f
@@ -50,6 +50,7 @@
4d476f
 #define NAME_NEGATIVE_TIMEOUT		"negative_timeout"
4d476f
 #define NAME_BROWSE_MODE		"browse_mode"
4d476f
 #define NAME_LOGGING			"logging"
4d476f
+#define NAME_FORCE_STD_PROG_MAP_ENV	"force_standard_program_map_env"
4d476f
 
4d476f
 #define NAME_LDAP_URI			"ldap_uri"
4d476f
 #define NAME_LDAP_TIMEOUT		"ldap_timeout"
4d476f
@@ -1589,6 +1590,17 @@ unsigned int defaults_get_logging(void)
4d476f
 	return logging;
4d476f
 }
4d476f
 
4d476f
+unsigned int defaults_force_std_prog_map_env(void)
4d476f
+{
4d476f
+	int res;
4d476f
+
4d476f
+	res = conf_get_yesno(autofs_gbl_sec, NAME_FORCE_STD_PROG_MAP_ENV);
4d476f
+	if (res < 0)
4d476f
+		res = atoi(DEFAULT_FORCE_STD_PROG_MAP_ENV);
4d476f
+
4d476f
+	return res;
4d476f
+}
4d476f
+
4d476f
 unsigned int defaults_get_ldap_timeout(void)
4d476f
 {
4d476f
 	int res;
4d476f
--- autofs-5.0.7.orig/man/autofs.5
4d476f
+++ autofs-5.0.7/man/autofs.5
4d476f
@@ -190,6 +190,11 @@ SHOST	Short hostname (domain part remove
4d476f
 .fi
4d476f
 .RE
4d476f
 .sp
4d476f
+If a program map is used these standard environment variables will have
4d476f
+a prefix of "AUTOFS_" to prevent interpreted languages like python from
4d476f
+being able to load and execute arbitray code from a user home directory.
4d476f
+.RE
4d476f
+.sp
4d476f
 Additional entries can be defined with the -Dvariable=Value map-option to
4d476f
 .BR automount (8).
4d476f
 .SS Executable Maps
4d476f
--- autofs-5.0.7.orig/man/autofs.conf.5.in
4d476f
+++ autofs-5.0.7/man/autofs.conf.5.in
4d476f
@@ -71,6 +71,15 @@ options replace the global options (prog
4d476f
 .B logging
4d476f
 .br
4d476f
 set default log level "none", "verbose" or "debug" (program default "none").
4d476f
+.TP
4d476f
+.B force_standard_program_map_env
4d476f
+.br
4d476f
+override the use of a prefix with standard environment variables when a
4d476f
+program map is executed. Since program maps are run as the privileded
4d476f
+user setting these standard environment variables opens automount(8) to
4d476f
+potential user privilege escalation when the program map is written in a
4d476f
+language that can load components from, for example, a user home directory
4d476f
+(program default "no").
4d476f
 .SS LDAP Configuration
4d476f
 .P
4d476f
 Configuration settings available are:
4d476f
--- autofs-5.0.7.orig/modules/lookup_program.c
4d476f
+++ autofs-5.0.7/modules/lookup_program.c
4d476f
@@ -129,6 +129,7 @@ static char *lookup_one(struct autofs_po
4d476f
 	int distance;
4d476f
 	int alloci = 1;
4d476f
 	int status;
4d476f
+	char *prefix;
4d476f
 
4d476f
 	mapent = (char *) malloc(MAPENT_MAX_LEN + 1);
4d476f
 	if (!mapent) {
4d476f
@@ -174,6 +175,17 @@ static char *lookup_one(struct autofs_po
4d476f
 			warn(ap->logopt,
4d476f
 			     MODPREFIX "failed to set PWD to %s for map %s",
4d476f
 			     ap->path, ctxt->mapname);
4d476f
+
4d476f
+		/*
4d476f
+		 * By default use a prefix with standard environment
4d476f
+		 * variables to prevent system subversion by interpreted
4d476f
+		 * languages.
4d476f
+		 */
4d476f
+		if (defaults_force_std_prog_map_env())
4d476f
+			prefix = NULL;
4d476f
+		else
4d476f
+			prefix = "AUTOFS_";
4d476f
+
4d476f
 		/*
4d476f
 		 * MAPFMT_DEFAULT must be "sun" for ->parse_init() to have setup
4d476f
 		 * the macro table.
4d476f
@@ -181,7 +193,7 @@ static char *lookup_one(struct autofs_po
4d476f
 		if (ctxt->mapfmt && strcmp(ctxt->mapfmt, "MAPFMT_DEFAULT")) {
4d476f
 			struct parse_context *pctxt = (struct parse_context *) ctxt->parse->context;
4d476f
 			/* Add standard environment as seen by sun map parser */
4d476f
-			pctxt->subst = addstdenv(pctxt->subst, "AUTOFS_");
4d476f
+			pctxt->subst = addstdenv(pctxt->subst, prefix);
4d476f
 			macro_setenv(pctxt->subst);
4d476f
 		}
4d476f
 		execl(ctxt->mapname, ctxt->mapname, name, NULL);
4d476f
--- autofs-5.0.7.orig/redhat/autofs.conf.default.in
4d476f
+++ autofs-5.0.7/redhat/autofs.conf.default.in
4d476f
@@ -53,6 +53,17 @@ mount_nfs_default_protocol = 4
4d476f
 #
4d476f
 #logging = none
4d476f
 #
4d476f
+# force_standard_program_map_env - disable the use of the "AUTOFS_"
4d476f
+#			prefix for standard environemt variables when
4d476f
+#			executing a program map. Since program maps
4d476f
+#			are run as the privileded user this opens
4d476f
+#			automount(8) to potential user privilege
4d476f
+#			escalation when the program map is written
4d476f
+#			in a language that  can load components from,
4d476f
+#			for example, a user home directory.
4d476f
+#
4d476f
+# force_standard_program_map_env = no
4d476f
+#
4d476f
 # Define base dn for map dn lookup.
4d476f
 #
4d476f
 # Define server URIs
4d476f
--- autofs-5.0.7.orig/samples/autofs.conf.default.in
4d476f
+++ autofs-5.0.7/samples/autofs.conf.default.in
4d476f
@@ -52,6 +52,17 @@ browse_mode = no
4d476f
 #
4d476f
 #logging = none
4d476f
 #
4d476f
+# force_standard_program_map_env - disable the use of the "AUTOFS_"
4d476f
+#			prefix for standard environemt variables when
4d476f
+#			executing a program map. Since program maps
4d476f
+#			are run as the privileded user this opens
4d476f
+#			automount(8) to potential user privilege
4d476f
+#			escalation when the program map is written
4d476f
+#			in a language that  can load components from,
4d476f
+#			for example, a user home directory.
4d476f
+#
4d476f
+# force_standard_program_map_env = no
4d476f
+#
4d476f
 # Define base dn for map dn lookup.
4d476f
 #
4d476f
 # Define server URIs