On Thu, Dec 15, 2016 at 05:06:36PM +0700, Martin Winter wrote:
On 15 Dec 2016, at 0:41, David Lamparter wrote:
This is a hard no-go. vtysh.conf contains authentication-related options which can be used together with setting vtysh SGID to quaggavty. [...]
Crap.
Any suggestion on how to get this done? Location is unknown at compile time.
Only thought I have is to only allow the override if run as root? Any better idea?
I think we need something like: int restricted = (getuid() != geteuid()) || (getgid() != getegid()); ... if (!restricted) ... We can also use that for restricting other options, though I think we're mostly OK there. We should add access() calls on markfile & dryru, because we also have "arbitrary file reading" vulnerabilities there. VTYSH_LOG is also a big problem. All in all, we are not secure for vtysh-as-SGID setups to begin with, so this didn't make it much worse, but I don't want to make it slightly worse either... -David