[libvirt] [PATCH 1/3] Implementation deficiency in virInitctlSetRunLevel v2
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
Hello, list.
Refuse following symlinks in virInitctlSetRunLevel.
A reasonable fallback for the next two patches, which apply fork-setns
technique recommended on this list.
---
src/util/virinitctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/virinitctl.c b/src/util/virinitctl.c
index 64bc23a..5cea992 100644
--- a/src/util/virinitctl.c
+++ b/src/util/virinitctl.c
@@ -139,7 +139,7 @@ int virInitctlSetRunLevel(virInitctlRunLevel level,
return -1;
}
- if ((fd = open(path, O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY)) < 0)
{
+ if ((fd = open(path, O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW)) < 0) {
if (errno == ENOENT) {
ret = 0;
goto cleanup;
--
1.7.10.4
On Thu, Dec 19, 2013 at 08:07:39PM +0400, Reco wrote:
Hello, list.
Refuse following symlinks in virInitctlSetRunLevel.
A reasonable fallback for the next two patches, which apply fork-setns
technique recommended on this list.
---
src/util/virinitctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/virinitctl.c b/src/util/virinitctl.c
index 64bc23a..5cea992 100644
--- a/src/util/virinitctl.c
+++ b/src/util/virinitctl.c
@@ -139,7 +139,7 @@ int virInitctlSetRunLevel(virInitctlRunLevel level,
return -1;
}
- if ((fd = open(path, O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY)) < 0)
{
+ if ((fd = open(path, O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW)) < 0) {
if (errno == ENOENT) {
ret = 0;
goto cleanup;
Unfortunately O_NOFOLLOW will still resolve a symlink for '/dev' itself.
AFAICT there is simply no safe way to open /proc/$pid/root/* files at
all if you don't trust the $pid.
Unless someone has bright ideas then I think we should just abandon any
and all use of /proc/$PID/root and mandate setns() for this. Yes it will
mean we require newer kernel for this functionality to work but that is
preferrable to an insecure impl I think.
NB, we are treating this issue as a public security flaw and will assign
a CVE for it soon.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 12/19/2013 09:07 AM, Reco wrote:
Hello, list.
Refuse following symlinks in virInitctlSetRunLevel.
A reasonable fallback for the next two patches, which apply fork-setns
technique recommended on this list.
Your patches came through as independent top-level threads, rather than
in-reply to a common cover letter. That makes it a bit harder to track
things in mail clients, especially ones set to sort threads by most
recent activity. A good rule of thumb when setting up 'git send-email'
is to first send email to yourself to make sure it comes through
properly threaded, before sending to the list.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
3963
days inactive
3963
days old
2 comments
3 participants
tags (0)
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Reco