On Feb 9, 2015, at 19:11, Don Lewis <truck...@freebsd.org> wrote:
>
> On 10 Feb, Mateusz Guzik wrote:
>> On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote:
>>> +notify 10 {
>>> + match "system" "kernel";
>>> + match "subsystem" "signal";
>>> + match "type" "coredump";
>>> + action "logger $comm $core";
>>> +};
>>> +
>>> */
>>>
>> [..]
>>> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0)
>>> + goto out;
>>> + snprintf(data, len, "comm=%s", fullpath);
>>
>> I cannot test it right now, but it looks like immediate privilege
>> escalation.
>>
>> Path is not sanitized in any way and devd passes it to 'sh -c'.
>>
>> So a file named "a.out; /bin/id; meh" or so should result in execution
>> of aforementioned /bin/id.
>
> Then there is the issue of a user-generated core file being fed into the
> crash analyzer, possibly exploiting bugs in the latter.
That's why there's a warning in devd.conf: devd will run the helper as root, so
a proper written helper has to drop the privileges very early or be invoked by
devd with lower privileges. My helper just drops privileges to match the
UID/GID of the generated core file before doing anything else.
--
Rui Paulo
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
