Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 09 Feb 2015 19:13:57 -0800
From:      Rui Paulo <rpaulo@me.com>
To:        Don Lewis <truckman@FreeBSD.org>
Cc:        svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, mjguzik@gmail.com, rpaulo@FreeBSD.org, src-committers@FreeBSD.org
Subject:   Re: svn commit: r278479 - in head: etc sys/kern
Message-ID:  <E80592CA-9DFD-4CC4-8B8B-B113206AC6C4@me.com>
In-Reply-To: <201502100311.t1A3BkE0016096@gw.catspoiler.org>
References:  <201502100311.t1A3BkE0016096@gw.catspoiler.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 9, 2015, at 19:11, Don Lewis <truckman@FreeBSD.org> wrote:
>=20
> On 10 Feb, Mateusz Guzik wrote:
>> On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote:
>>> +notify 10 {
>>> +	match "system"          "kernel";
>>> +	match "subsystem"       "signal";
>>> +	match "type"            "coredump";
>>> +	action "logger $comm $core";
>>> +};
>>> +
>>> */
>>>=20
>> [..]
>>> +	if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) !=3D=
 0)
>>> +		goto out;
>>> +	snprintf(data, len, "comm=3D%s", fullpath);
>>=20
>> I cannot test it right now, but it looks like immediate privilege
>> escalation.
>>=20
>> Path is not sanitized in any way and devd passes it to 'sh -c'.
>>=20
>> So a file named "a.out; /bin/id; meh" or so should result in =
execution
>> of aforementioned /bin/id.
>=20
> Then there is the issue of a user-generated core file being fed into =
the
> crash analyzer, possibly exploiting bugs in the latter.

That's why there's a warning in devd.conf: devd will run the helper as =
root, so a proper written helper has to drop the privileges very early =
or be invoked by devd with lower privileges.  My helper just drops =
privileges to match the UID/GID of the generated core file before doing =
anything else.

--
Rui Paulo






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E80592CA-9DFD-4CC4-8B8B-B113206AC6C4>