|
 |
43fe83 |
From ebad72b771d17033f03c00bcdc5bb24db5116862 Mon Sep 17 00:00:00 2001
|
|
|
43fe83 |
Message-Id: <ebad72b771d17033f03c00bcdc5bb24db5116862.1383321464.git.jdenemar@redhat.com>
|
|
|
43fe83 |
From: "Daniel P. Berrange" <berrange@redhat.com>
|
|
|
43fe83 |
Date: Wed, 30 Oct 2013 17:01:42 +0000
|
|
|
43fe83 |
Subject: [PATCH] Only allow 'stderr' log output when running setuid
|
|
|
43fe83 |
|
|
|
43fe83 |
CVE-2013-4400
|
|
|
43fe83 |
|
|
|
43fe83 |
We must not allow file/syslog/journald log outputs when running
|
|
|
43fe83 |
setuid since they can be abused to do bad things. In particular
|
|
|
43fe83 |
the 'file' output can be used to overwrite files.
|
|
|
43fe83 |
|
|
|
43fe83 |
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
|
43fe83 |
(cherry picked from commit 8c3586ea755c40d5e01b22cb7b5c1e668cdec994)
|
|
|
43fe83 |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
43fe83 |
---
|
|
|
43fe83 |
src/util/virlog.c | 10 ++++++++++
|
|
|
43fe83 |
1 file changed, 10 insertions(+)
|
|
|
43fe83 |
|
|
|
43fe83 |
diff --git a/src/util/virlog.c b/src/util/virlog.c
|
|
|
43fe83 |
index 6f791ad..694da89 100644
|
|
|
43fe83 |
--- a/src/util/virlog.c
|
|
|
43fe83 |
+++ b/src/util/virlog.c
|
|
|
43fe83 |
@@ -1324,6 +1324,9 @@ int virLogPriorityFromSyslog(int priority ATTRIBUTE_UNUSED)
|
|
|
43fe83 |
* Multiple output can be defined in a single @output, they just need to be
|
|
|
43fe83 |
* separated by spaces.
|
|
|
43fe83 |
*
|
|
|
43fe83 |
+ * If running in setuid mode, then only the 'stderr' output will
|
|
|
43fe83 |
+ * be allowed
|
|
|
43fe83 |
+ *
|
|
|
43fe83 |
* Returns the number of output parsed and installed or -1 in case of error
|
|
|
43fe83 |
*/
|
|
|
43fe83 |
int
|
|
|
43fe83 |
@@ -1335,6 +1338,7 @@ virLogParseOutputs(const char *outputs)
|
|
|
43fe83 |
virLogPriority prio;
|
|
|
43fe83 |
int ret = -1;
|
|
|
43fe83 |
int count = 0;
|
|
|
43fe83 |
+ bool isSUID = virIsSUID();
|
|
|
43fe83 |
|
|
|
43fe83 |
if (cur == NULL)
|
|
|
43fe83 |
return -1;
|
|
|
43fe83 |
@@ -1354,6 +1358,8 @@ virLogParseOutputs(const char *outputs)
|
|
|
43fe83 |
if (virLogAddOutputToStderr(prio) == 0)
|
|
|
43fe83 |
count++;
|
|
|
43fe83 |
} else if (STREQLEN(cur, "syslog", 6)) {
|
|
|
43fe83 |
+ if (isSUID)
|
|
|
43fe83 |
+ goto cleanup;
|
|
|
43fe83 |
cur += 6;
|
|
|
43fe83 |
if (*cur != ':')
|
|
|
43fe83 |
goto cleanup;
|
|
|
43fe83 |
@@ -1371,6 +1377,8 @@ virLogParseOutputs(const char *outputs)
|
|
|
43fe83 |
VIR_FREE(name);
|
|
|
43fe83 |
#endif /* HAVE_SYSLOG_H */
|
|
|
43fe83 |
} else if (STREQLEN(cur, "file", 4)) {
|
|
|
43fe83 |
+ if (isSUID)
|
|
|
43fe83 |
+ goto cleanup;
|
|
|
43fe83 |
cur += 4;
|
|
|
43fe83 |
if (*cur != ':')
|
|
|
43fe83 |
goto cleanup;
|
|
|
43fe83 |
@@ -1391,6 +1399,8 @@ virLogParseOutputs(const char *outputs)
|
|
|
43fe83 |
VIR_FREE(name);
|
|
|
43fe83 |
VIR_FREE(abspath);
|
|
|
43fe83 |
} else if (STREQLEN(cur, "journald", 8)) {
|
|
|
43fe83 |
+ if (isSUID)
|
|
|
43fe83 |
+ goto cleanup;
|
|
|
43fe83 |
cur += 8;
|
|
|
43fe83 |
#if USE_JOURNALD
|
|
|
43fe83 |
if (virLogAddOutputToJournald(prio) == 0)
|
|
|
43fe83 |
--
|
|
|
43fe83 |
1.8.4.2
|
|
|
43fe83 |
|