Date: Mon, 09 Feb 2015 19:13:57 -0800 From: Rui Paulo <rpaulo@me.com> To: Don Lewis <truckman@FreeBSD.org> Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, mjguzik@gmail.com, rpaulo@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: svn commit: r278479 - in head: etc sys/kern Message-ID: <E80592CA-9DFD-4CC4-8B8B-B113206AC6C4@me.com> In-Reply-To: <201502100311.t1A3BkE0016096@gw.catspoiler.org> References: <201502100311.t1A3BkE0016096@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 9, 2015, at 19:11, Don Lewis <truckman@FreeBSD.org> wrote:
>=20
> On 10 Feb, Mateusz Guzik wrote:
>> On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote:
>>> +notify 10 {
>>> + match "system" "kernel";
>>> + match "subsystem" "signal";
>>> + match "type" "coredump";
>>> + action "logger $comm $core";
>>> +};
>>> +
>>> */
>>>=20
>> [..]
>>> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) !=3D=
0)
>>> + goto out;
>>> + snprintf(data, len, "comm=3D%s", fullpath);
>>=20
>> I cannot test it right now, but it looks like immediate privilege
>> escalation.
>>=20
>> Path is not sanitized in any way and devd passes it to 'sh -c'.
>>=20
>> So a file named "a.out; /bin/id; meh" or so should result in =
execution
>> of aforementioned /bin/id.
>=20
> Then there is the issue of a user-generated core file being fed into =
the
> crash analyzer, possibly exploiting bugs in the latter.
That's why there's a warning in devd.conf: devd will run the helper as =
root, so a proper written helper has to drop the privileges very early =
or be invoked by devd with lower privileges. My helper just drops =
privileges to match the UID/GID of the generated core file before doing =
anything else.
--
Rui Paulo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E80592CA-9DFD-4CC4-8B8B-B113206AC6C4>