Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 396998 Details for
Bug 540006
[Auditing] sys-apps/openrc: checkpath: {hard,symbolic} link as possible attack vector to gain privilege escalation
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-checkpath-do-not-chown-or-chmod-symbolic-links.patch
0001-checkpath-do-not-chown-or-chmod-symbolic-links.patch (text/plain), 2.09 KB, created by
William Hubbs
on 2015-02-19 21:19:05 UTC
(
hide
)
Description:
0001-checkpath-do-not-chown-or-chmod-symbolic-links.patch
Filename:
MIME Type:
Creator:
William Hubbs
Created:
2015-02-19 21:19:05 UTC
Size:
2.09 KB
patch
obsolete
>From a0378f38713e630e1af9101c2ece5d27ca2130fe Mon Sep 17 00:00:00 2001 >From: William Hubbs <w.d.hubbs@gmail.com> >Date: Thu, 19 Feb 2015 12:44:21 -0600 >Subject: [PATCH] checkpath: do not chown or chmod symbolic links > >This is another security fix. If you use chown() or chmod() on a >symbolic link, it affects the referenced file, not the symbolic link >itself. > >X-Gentoo-Bug: 540006 >X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006 >--- > src/rc/checkpath.c | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > >diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c >index 4e36242..87115a4 100644 >--- a/src/rc/checkpath.c >+++ b/src/rc/checkpath.c >@@ -68,7 +68,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, > int u; > > memset(&st, 0, sizeof(st)); >- if (stat(path, &st) || trunc) { >+ if (lstat(path, &st) || trunc) { > if (type == inode_file) { > einfo("%s: creating file", path); > if (!mode) /* 664 */ >@@ -133,10 +133,14 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, > } > > if (mode && (st.st_mode & 0777) != mode) { >- if ((type != inode_dir) && (st.st_nlink != 1)) { >+ if ((type != inode_dir) && (st.st_nlink > 1)) { > eerror("%s: chmod: %s %s", applet, "Too many hard links to", path); > return -1; > } >+ if (S_ISLNK(st.st_mode)) { >+ eerror("%s: chmod: %s %s", applet, path, " is a symbolic link"); >+ return -1; >+ } > einfo("%s: correcting mode", path); > if (chmod(path, mode)) { > eerror("%s: chmod: %s", applet, strerror(errno)); >@@ -145,10 +149,14 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, > } > > if (chowner && (st.st_uid != uid || st.st_gid != gid)) { >- if ((type != inode_dir) && (st.st_nlink != 1)) { >+ if ((type != inode_dir) && (st.st_nlink > 1)) { > eerror("%s: chown: %s %s", applet, "Too many hard links to", path); > return -1; > } >+ if (S_ISLNK(st.st_mode)) { >+ eerror("%s: chown: %s %s", applet, path, " is a symbolic link"); >+ return -1; >+ } > einfo("%s: correcting owner", path); > if (chown(path, uid, gid)) { > eerror("%s: chown: %s", applet, strerror(errno)); >-- >2.0.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=396998">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 540006
:
396408
|
396558
|
396990
|
396992
| 396998
