From owner-svn-src-head@FreeBSD.ORG Tue Feb 10 10:01:56 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AEEA6E2D; Tue, 10 Feb 2015 10:01:56 +0000 (UTC) Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4362120F; Tue, 10 Feb 2015 10:01:56 +0000 (UTC) Received: by mail-wi0-f173.google.com with SMTP id bs8so10769911wib.0; Tue, 10 Feb 2015 02:01:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=1yuF1+FFZvYBo1Lu1733g6FHvqyR9OQVXI2KvYiVlaI=; b=i8Ojgtnz/YcpBM/zeldHVv6ZfEEohV52JGI5MlZDM5XVH2Lsorcwh4K8aq4u4ehDOs E8evdVwJ7+G0mEsrTadDOi6NAuT9JP++nwQ4hmR+78DamgoXV/0Fs5gTPnigDB9h8YjK ME+K4+zC8bLSViR3UGfuA8PeiZ7pdbJThb3gjbbwKOXCF8GyPtiRFFg8DND39kFmn7g/ d4vTCTgtfZyRURI3FNHX+L50lk1Ch2egbtaBud+tVyAT4IShccVFQxuqa7OTMAE6uq5o F8JVUqK60eT9riOwim6IDKp4ZUbbpUvO7AlNYQVubNHDcpB893TF/QrA1DSOK9TU4AsL H8Yg== X-Received: by 10.180.103.7 with SMTP id fs7mr35554694wib.81.1423562514782; Tue, 10 Feb 2015 02:01:54 -0800 (PST) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id qo10sm18498311wjc.38.2015.02.10.02.01.53 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 10 Feb 2015 02:01:53 -0800 (PST) Date: Tue, 10 Feb 2015 11:01:51 +0100 From: Mateusz Guzik To: Rui Paulo Subject: Re: svn commit: r278479 - in head: etc sys/kern Message-ID: <20150210100151.GA5994@dft-labs.eu> References: <201502092313.t19NDpoS083043@svn.freebsd.org> <20150210024317.GA21779@dft-labs.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Rui Paulo X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 10:01:56 -0000 On Mon, Feb 09, 2015 at 06:57:36PM -0800, Rui Paulo wrote: > On Feb 9, 2015, at 18:43, Mateusz Guzik wrote: > > > > On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote: > >> +notify 10 { > >> + match "system" "kernel"; > >> + match "subsystem" "signal"; > >> + match "type" "coredump"; > >> + action "logger $comm $core"; > >> +}; > >> + > >> */ > >> > > [..] > >> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0) > >> + goto out; > >> + snprintf(data, len, "comm=%s", fullpath); > > > > I cannot test it right now, but it looks like immediate privilege > > escalation. > > > > Path is not sanitized in any way and devd passes it to 'sh -c'. > > > > So a file named "a.out; /bin/id; meh" or so should result in execution > > of aforementioned /bin/id. > > Well, you can't have a file name with "/" but you're right. > I mean the whole path. You are resolving the name along with all dirs, so it's just a matter of some mkdirs. > > Another note is that currently devctl is record oriented, but this may > > change at some point and free form userspace text could be used to forge > > new events. > > > > As such is trongly suggest we sanitize this somehow. Maybe a base64 or > > something. > > I was trying hard to avoid this issue in unpublished my crash helper, but I forgot that devd runs execl("sh -c", ....); :-( > > It might just be easier to inspect the path names and allow only [a-z][A-Z][0-9] and '/' before sending the devctl message. > I'm pretty sure sooner or later people will want something with a space, so I would prefer a reasonably complete solution. A hack like the one yu mention should suffice fr now though (with the addition of a dot). -- Mateusz Guzik