[libvirt] [PATCH 02/14] Only allow 'stderr' log output when running setuid (CVE-2013-4400)
From: "Daniel P. Berrange" <berrange(a)redhat.com>
We must not allow file/syslog/journald log outputs when running
setuid since they can be abused to do bad things. In particular
the 'file' output can be used to overwrite files.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/util/virlog.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/util/virlog.c b/src/util/virlog.c
index 8a688fd..997d582 100644
--- a/src/util/virlog.c
+++ b/src/util/virlog.c
@@ -1324,6 +1324,9 @@ int virLogPriorityFromSyslog(int priority ATTRIBUTE_UNUSED)
* Multiple output can be defined in a single @output, they just need to be
* separated by spaces.
*
+ * If running in setuid mode, then only the 'stderr' output will
+ * be allowed
+ *
* Returns the number of output parsed and installed or -1 in case of error
*/
int
@@ -1335,6 +1338,7 @@ virLogParseOutputs(const char *outputs)
virLogPriority prio;
int ret = -1;
int count = 0;
+ bool isSUID = virIsSUID();
if (cur == NULL)
return -1;
@@ -1354,6 +1358,8 @@ virLogParseOutputs(const char *outputs)
if (virLogAddOutputToStderr(prio) == 0)
count++;
} else if (STREQLEN(cur, "syslog", 6)) {
+ if (isSUID)
+ goto cleanup;
cur += 6;
if (*cur != ':')
goto cleanup;
@@ -1371,6 +1377,8 @@ virLogParseOutputs(const char *outputs)
VIR_FREE(name);
#endif /* HAVE_SYSLOG_H */
} else if (STREQLEN(cur, "file", 4)) {
+ if (isSUID)
+ goto cleanup;
cur += 4;
if (*cur != ':')
goto cleanup;
@@ -1391,6 +1399,8 @@ virLogParseOutputs(const char *outputs)
VIR_FREE(name);
VIR_FREE(abspath);
} else if (STREQLEN(cur, "journald", 8)) {
+ if (isSUID)
+ goto cleanup;
cur += 8;
#if USE_JOURNALD
if (virLogAddOutputToJournald(prio) == 0)
--
1.8.3.1