Re: [PATCH 1/3] Implementation deficiency in virInitctlSetRunLevel v2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 19, 2013 at 08:07:39PM +0400, Reco wrote:
>  Hello, list.
> 
> Refuse following symlinks in virInitctlSetRunLevel.
> A reasonable fallback for the next two patches, which apply fork-setns
> technique recommended on this list.
> 
> ---
>  src/util/virinitctl.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/util/virinitctl.c b/src/util/virinitctl.c
> index 64bc23a..5cea992 100644
> --- a/src/util/virinitctl.c
> +++ b/src/util/virinitctl.c
> @@ -139,7 +139,7 @@ int virInitctlSetRunLevel(virInitctlRunLevel level,
>              return -1;
>      }
>  
> -    if ((fd = open(path, O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY)) < 0) 
> {
> +    if ((fd = open(path, O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW)) < 0) {
>          if (errno == ENOENT) {
>              ret = 0;
>              goto cleanup;

Unfortunately O_NOFOLLOW will still resolve a symlink for '/dev' itself.
AFAICT there is simply no safe way to open /proc/$pid/root/* files at
all if you don't trust the $pid.

Unless someone has bright ideas then I think we should just abandon any
and all use of /proc/$PID/root and mandate setns() for this. Yes it will
mean we require newer kernel for this functionality to work but that is
preferrable to an insecure impl I think.

NB, we are treating this issue as a public security flaw and will assign
a CVE for it soon.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]