On 16 Dec 2016, at 4:41, David Lamparter wrote:
On Thu, Dec 15, 2016 at 05:06:36PM +0700, Martin Winter wrote:
On 15 Dec 2016, at 0:41, David Lamparter wrote:
This is a hard no-go. vtysh.conf contains authentication-related options which can be used together with setting vtysh SGID to quaggavty. [...]
Crap.
Any suggestion on how to get this done? Location is unknown at compile time.
Only thought I have is to only allow the override if run as root? Any better idea?
I think we need something like:
int restricted = (getuid() != geteuid()) || (getgid() != getegid()); ... if (!restricted) ...
So if I understand you correctly, I’ll add such a check and only parse the vtysh.conf location if this check passes - otherwise ignore it (or complain and bail?) - Martin
We can also use that for restricting other options, though I think we're mostly OK there. We should add access() calls on markfile & dryru, because we also have "arbitrary file reading" vulnerabilities there.
VTYSH_LOG is also a big problem.
All in all, we are not secure for vtysh-as-SGID setups to begin with, so this didn't make it much worse, but I don't want to make it slightly worse either...
-David