On Thu, Dec 19, 2013 at 08:07:39PM +0400, Reco wrote:
Hello, list.
Refuse following symlinks in virInitctlSetRunLevel. A reasonable fallback for the next two patches, which apply fork-setns technique recommended on this list.
--- src/util/virinitctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/virinitctl.c b/src/util/virinitctl.c index 64bc23a..5cea992 100644 --- a/src/util/virinitctl.c +++ b/src/util/virinitctl.c @@ -139,7 +139,7 @@ int virInitctlSetRunLevel(virInitctlRunLevel level, return -1; }
- if ((fd = open(path, O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY)) < 0) { + if ((fd = open(path, O_WRONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW)) < 0) { if (errno == ENOENT) { ret = 0; goto cleanup;
Unfortunately O_NOFOLLOW will still resolve a symlink for '/dev' itself. AFAICT there is simply no safe way to open /proc/$pid/root/* files at all if you don't trust the $pid. Unless someone has bright ideas then I think we should just abandon any and all use of /proc/$PID/root and mandate setns() for this. Yes it will mean we require newer kernel for this functionality to work but that is preferrable to an insecure impl I think. NB, we are treating this issue as a public security flaw and will assign a CVE for it soon. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|