From 762c7c65103615d976beeb4c8e2d1d9a79c87d86 Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Wed, 6 Apr 2005 14:44:16 -0400 Subject: Add paranoia checks into the blkid, ext2fs, and ss libraries to ignore environment variables if the libraries are called from setuid or setguid programs, or if kernel believes that the process is not eligible to create a core dump. In addition, if the libc has __secure_getenv(), use it so that the libc can also do any additional limitations regarding when libraries can trust environment variables (i.e., to integrate with systems like SELinux and Posix capabilities). --- lib/ss/ChangeLog | 7 +++++++ lib/ss/get_readline.c | 2 +- lib/ss/pager.c | 31 ++++++++++++++++++++++++++++++- lib/ss/ss_internal.h | 1 + 4 files changed, 39 insertions(+), 2 deletions(-) (limited to 'lib/ss') diff --git a/lib/ss/ChangeLog b/lib/ss/ChangeLog index 2dcc071f..40be15f6 100644 --- a/lib/ss/ChangeLog +++ b/lib/ss/ChangeLog @@ -1,3 +1,10 @@ +2005-03-31 Theodore Ts'o + + * get_readline.c (ss_get_readline), pager.c (ss_page_stdin): If + called by a setuid/setgid or an otherwise privileged + program, be paranoid and ignore the PAGER and + SS_READLINE_PATH environment variables. + 2005-03-21 Theodore Ts'o * Release of E2fsprogs 1.37 diff --git a/lib/ss/get_readline.c b/lib/ss/get_readline.c index d9499e6d..b9754d89 100644 --- a/lib/ss/get_readline.c +++ b/lib/ss/get_readline.c @@ -50,7 +50,7 @@ void ss_get_readline(int sci_idx) if (info->readline_handle) return; - libpath = getenv("SS_READLINE_PATH"); + libpath = ss_safe_getenv("SS_READLINE_PATH"); if (!libpath) libpath = DEFAULT_LIBPATH; if (*libpath == 0 || !strcmp(libpath, "none")) diff --git a/lib/ss/pager.c b/lib/ss/pager.c index ba28f97a..4030c7f7 100644 --- a/lib/ss/pager.c +++ b/lib/ss/pager.c @@ -28,11 +28,40 @@ extern int errno; #include #include #include +#ifdef HAVE_SYS_PRCTL_H +#include +#else +#define PR_GET_DUMPABLE 3 +#endif +#if (!defined(HAVE_PRCTL) && defined(linux)) +#include +#endif static char MORE[] = "more"; extern char *_ss_pager_name; extern char *getenv PROTOTYPE((const char *)); +char *ss_safe_getenv(const char *arg) +{ + if ((getuid() != geteuid()) || (getgid() != getgid())) + return NULL; +#if HAVE_PRCTL + if (prctl(PR_GET_DUMPABLE) == 0) + return NULL; +#else +#if (defined(linux) && defined(SYS_prctl)) + if (syscall(SYS_prctl, PR_GET_DUMPABLE) == 0) + return NULL; +#endif +#endif + +#ifdef HAVE___SECURE_GETENV + return __secure_getenv("BLKID_FILE"); +#else + return getenv("BLKID_FILE"); +#endif +} + /* * this needs a *lot* of work.... * @@ -89,7 +118,7 @@ void ss_page_stdin() sigdelset(&mask, SIGINT); sigprocmask(SIG_SETMASK, &mask, 0); if (_ss_pager_name == (char *)NULL) { - if ((_ss_pager_name = getenv("PAGER")) == (char *)NULL) + if ((_ss_pager_name = ss_safe_getenv("PAGER")) == (char *)NULL) _ss_pager_name = MORE; } (void) execlp(_ss_pager_name, _ss_pager_name, (char *) NULL); diff --git a/lib/ss/ss_internal.h b/lib/ss/ss_internal.h index 48afdbd0..15d618ee 100644 --- a/lib/ss/ss_internal.h +++ b/lib/ss/ss_internal.h @@ -89,6 +89,7 @@ void ss_page_stdin(void); void ss_list_requests(int, char const * const *, int, pointer); int ss_execute_command(int sci_idx, char *argv[]); int ss_pager_create(void); +char *ss_safe_getenv(const char *arg); char **ss_rl_completion(const char *text, int start, int end); extern ss_data **_ss_table; -- cgit v1.2.3