[cmaster-next] Snapcraft_v2 branch ready for merge into stable/2.0
Got all the required changes from Renato and have now a branch with all the Snapcraft parts ready for merge. This includes code to modify the main Quagga and (in the snapcraft subdir) all the needed files to build a snap. Doc / Package files will need one more round to adjust mainly for the name (once we settle on something) Branch is snapcraft_v2 Main changes: - Snap packages are only allowed to write into their own mounted container and the filenames are not known until the package is installed. There are now new —vty_socket cli options to specify the location for the vty socket instead of using the compile-time path. (Plus —ctl_socket for the extra LDP socket and —config_dir for vtysh) - Snap packages can’t even read files outside their directories. Getting the homedir from the password file isn’t possible. Using now HOME env variable and only fall back to passed file if it doesn’t exits - Snap packages can’t SETUID or SETGID. They always run under root. There is now a check for UID and GID and the change only happens if it’s not already running under the requested User/Group - Martin
Hi Martin, all, I certainly miss the information, sorry for that (or the mail was delete by our anti-spam filter), but I can't figure where are located this branch as well as the stable 2.0 Is it on the github cumulus private repo cmaster-next or elsewhere ? I look to the cmaster-next git repo, but didn't found any reference to stable 2.0 or snapcraft_v2. Thanks for your help. Regards Olivier Le 11/12/2016 à 13:29, Martin Winter a écrit :
Got all the required changes from Renato and have now a branch with all the Snapcraft parts ready for merge. This includes code to modify the main Quagga and (in the snapcraft subdir) all the needed files to build a snap.
Doc / Package files will need one more round to adjust mainly for the name (once we settle on something)
Branch is snapcraft_v2
Main changes:
- Snap packages are only allowed to write into their own mounted container and the filenames are not known until the package is installed. There are now new —vty_socket cli options to specify the location for the vty socket instead of using the compile-time path. (Plus —ctl_socket for the extra LDP socket and —config_dir for vtysh)
- Snap packages can’t even read files outside their directories. Getting the homedir from the password file isn’t possible. Using now HOME env variable and only fall back to passed file if it doesn’t exits
- Snap packages can’t SETUID or SETGID. They always run under root. There is now a check for UID and GID and the change only happens if it’s not already running under the requested User/Group
- Martin
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
_________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Hello, it's on https://github.com/opensourcerouting/cumulus-private_quagga/ -Christian On 12/12/2016 03:01 PM, olivier.dugeon@orange.com wrote:
Hi Martin, all,
I certainly miss the information, sorry for that (or the mail was delete by our anti-spam filter), but I can't figure where are located this branch as well as the stable 2.0
Is it on the github cumulus private repo cmaster-next or elsewhere ? I look to the cmaster-next git repo, but didn't found any reference to stable 2.0 or snapcraft_v2.
Thanks for your help.
Regards
Olivier
Le 11/12/2016 à 13:29, Martin Winter a écrit :
Got all the required changes from Renato and have now a branch with all the Snapcraft parts ready for merge. This includes code to modify the main Quagga and (in the snapcraft subdir) all the needed files to build a snap.
Doc / Package files will need one more round to adjust mainly for the name (once we settle on something)
Branch is snapcraft_v2
Main changes:
- Snap packages are only allowed to write into their own mounted container and the filenames are not known until the package is installed. There are now new —vty_socket cli options to specify the location for the vty socket instead of using the compile-time path. (Plus —ctl_socket for the extra LDP socket and —config_dir for vtysh)
- Snap packages can’t even read files outside their directories. Getting the homedir from the password file isn’t possible. Using now HOME env variable and only fall back to passed file if it doesn’t exits
- Snap packages can’t SETUID or SETGID. They always run under root. There is now a check for UID and GID and the change only happens if it’s not already running under the requested User/Group
- Martin
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
Hi Christian, Thank's for the info, but I don't see the repo. I think I have not the authorization to access to this repo if it is private. Can you add me ? my account on gitHub is odd22. Regards, Olivier Le 12/12/2016 à 16:30, Christian Franke a écrit :
Hello,
it's on https://github.com/opensourcerouting/cumulus-private_quagga/
-Christian
On 12/12/2016 03:01 PM, olivier.dugeon@orange.com wrote:
Hi Martin, all,
I certainly miss the information, sorry for that (or the mail was delete by our anti-spam filter), but I can't figure where are located this branch as well as the stable 2.0
Is it on the github cumulus private repo cmaster-next or elsewhere ? I look to the cmaster-next git repo, but didn't found any reference to stable 2.0 or snapcraft_v2.
Thanks for your help.
Regards
Olivier
Le 11/12/2016 à 13:29, Martin Winter a écrit :
Got all the required changes from Renato and have now a branch with all the Snapcraft parts ready for merge. This includes code to modify the main Quagga and (in the snapcraft subdir) all the needed files to build a snap.
Doc / Package files will need one more round to adjust mainly for the name (once we settle on something)
Branch is snapcraft_v2
Main changes:
- Snap packages are only allowed to write into their own mounted container and the filenames are not known until the package is installed. There are now new —vty_socket cli options to specify the location for the vty socket instead of using the compile-time path. (Plus —ctl_socket for the extra LDP socket and —config_dir for vtysh)
- Snap packages can’t even read files outside their directories. Getting the homedir from the password file isn’t possible. Using now HOME env variable and only fall back to passed file if it doesn’t exits
- Snap packages can’t SETUID or SETGID. They always run under root. There is now a check for UID and GID and the change only happens if it’s not already running under the requested User/Group
- Martin
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
_________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
You should have an invitation. -Christian On 12/12/2016 04:35 PM, olivier.dugeon@orange.com wrote:
Hi Christian,
Thank's for the info, but I don't see the repo. I think I have not the authorization to access to this repo if it is private.
Can you add me ? my account on gitHub is odd22.
Regards,
Olivier
Le 12/12/2016 à 16:30, Christian Franke a écrit :
Hello,
it's on https://github.com/opensourcerouting/cumulus-private_quagga/
-Christian
On 12/12/2016 03:01 PM, olivier.dugeon@orange.com wrote:
Hi Martin, all,
I certainly miss the information, sorry for that (or the mail was delete by our anti-spam filter), but I can't figure where are located this branch as well as the stable 2.0
Is it on the github cumulus private repo cmaster-next or elsewhere ? I look to the cmaster-next git repo, but didn't found any reference to stable 2.0 or snapcraft_v2.
Thanks for your help.
Regards
Olivier
Le 11/12/2016 à 13:29, Martin Winter a écrit :
Got all the required changes from Renato and have now a branch with all the Snapcraft parts ready for merge. This includes code to modify the main Quagga and (in the snapcraft subdir) all the needed files to build a snap.
Doc / Package files will need one more round to adjust mainly for the name (once we settle on something)
Branch is snapcraft_v2
Main changes:
- Snap packages are only allowed to write into their own mounted container and the filenames are not known until the package is installed. There are now new —vty_socket cli options to specify the location for the vty socket instead of using the compile-time path. (Plus —ctl_socket for the extra LDP socket and —config_dir for vtysh)
- Snap packages can’t even read files outside their directories. Getting the homedir from the password file isn’t possible. Using now HOME env variable and only fall back to passed file if it doesn’t exits
- Snap packages can’t SETUID or SETGID. They always run under root. There is now a check for UID and GID and the change only happens if it’s not already running under the requested User/Group
- Martin
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Hello Christian, I got it. Thanks a lot. I could see what's wrong with link-params CLI and proposed a patch tomorrow. Regards Olivier Le 12/12/2016 à 16:51, Christian Franke a écrit :
You should have an invitation.
-Christian
On 12/12/2016 04:35 PM, olivier.dugeon@orange.com wrote:
Hi Christian,
Thank's for the info, but I don't see the repo. I think I have not the authorization to access to this repo if it is private.
Can you add me ? my account on gitHub is odd22.
Regards,
Olivier
Le 12/12/2016 à 16:30, Christian Franke a écrit :
Hello,
it's on https://github.com/opensourcerouting/cumulus-private_quagga/
-Christian
On 12/12/2016 03:01 PM, olivier.dugeon@orange.com wrote:
Hi Martin, all,
I certainly miss the information, sorry for that (or the mail was delete by our anti-spam filter), but I can't figure where are located this branch as well as the stable 2.0
Is it on the github cumulus private repo cmaster-next or elsewhere ? I look to the cmaster-next git repo, but didn't found any reference to stable 2.0 or snapcraft_v2.
Thanks for your help.
Regards
Olivier
Le 11/12/2016 à 13:29, Martin Winter a écrit :
Got all the required changes from Renato and have now a branch with all the Snapcraft parts ready for merge. This includes code to modify the main Quagga and (in the snapcraft subdir) all the needed files to build a snap.
Doc / Package files will need one more round to adjust mainly for the name (once we settle on something)
Branch is snapcraft_v2
Main changes:
- Snap packages are only allowed to write into their own mounted container and the filenames are not known until the package is installed. There are now new —vty_socket cli options to specify the location for the vty socket instead of using the compile-time path. (Plus —ctl_socket for the extra LDP socket and —config_dir for vtysh)
- Snap packages can’t even read files outside their directories. Getting the homedir from the password file isn’t possible. Using now HOME env variable and only fall back to passed file if it doesn’t exits
- Snap packages can’t SETUID or SETGID. They always run under root. There is now a check for UID and GID and the change only happens if it’s not already running under the requested User/Group
- Martin
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Hm. Some bits aren't quite nice yet... +++ b/vtysh/vtysh.h + case OPTION_CONFDIR: + /* + * Overwrite location for vtysh.conf + */ ... This is a hard no-go. vtysh.conf contains authentication-related options which can be used together with setting vtysh SGID to quaggavty. E.g. you can set it up like this: ./configure --with-pam -rwx--s--x. root quaggavty /usr/bin/vtysh srwxrwx---. quagga quaggavty /var/run/quagga/zebra.vty /etc/pam.d/quagga: auth sufficient pam_group.so group=netadmins auth sufficient pam_group.so group=sysadmins auth required pam_deny.so Now users that are in the "netadmins" or "sysadmins" group can use vtysh to access zebra config. BUT. vtysh.conf has a "username XXX no-password" option which disables PAM. And, with your change, the user can supply their own vtysh.conf. With a line "username myuser no-password". Now they can access zebra without being in either of these groups... ... Congratulations, you created a security issue :) (Bottom line: the file location of vtysh.conf can *never* be a command line option if vtysh is installed SGID or SUID. You could try checking if it is SGID/SUID and ignore the option.) (Note: I even recently updated the documentation on this, see doc/vtysh.texi. It says "No security guarantees are made for this configuration", but still that doesn't mean we should break it further.) +++ b/lib/privs.c ... - if (zprivs_state.zgid) + /* change gid only if we changed uid - otherwise skip */ + if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid)) ... - if (zprivs_state.zgid) + /* change gid only if we changed uid - otherwise skip */ + if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid)) Both of these won't do; if someone starts a daemon with "-u root", it should still apply its group settings. Need a gid != current gid check. +++ b/ospfd/ospf_main.c ... + snprintf(pidfile_temp, sizeof(pidfile_temp), "%s/ospfd-%d.pid", pid_file, instance ); + strncpy(pid_file, pidfile_temp, sizeof(pid_file)); strncpy is the wrong function to call (should be strlcpy), but it shouldn't even be there - just snprintf to pid_file directly. Also, normally, socket path options on other daemons use full paths as arguments, not directory paths. Can we rename it to --vty_socket_dir? -David On Sun, Dec 11, 2016 at 04:29:08AM -0800, Martin Winter wrote:
Got all the required changes from Renato and have now a branch with all the Snapcraft parts ready for merge. This includes code to modify the main Quagga and (in the snapcraft subdir) all the needed files to build a snap.
Doc / Package files will need one more round to adjust mainly for the name (once we settle on something)
Branch is snapcraft_v2
Main changes:
- Snap packages are only allowed to write into their own mounted container and the filenames are not known until the package is installed. There are now new —vty_socket cli options to specify the location for the vty socket instead of using the compile-time path. (Plus —ctl_socket for the extra LDP socket and —config_dir for vtysh)
- Snap packages can’t even read files outside their directories. Getting the homedir from the password file isn’t possible. Using now HOME env variable and only fall back to passed file if it doesn’t exits
- Snap packages can’t SETUID or SETGID. They always run under root. There is now a check for UID and GID and the change only happens if it’s not already running under the requested User/Group
- Martin
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
David, On 15 Dec 2016, at 0:41, David Lamparter wrote:
Hm. Some bits aren't quite nice yet...
+++ b/vtysh/vtysh.h + case OPTION_CONFDIR: + /* + * Overwrite location for vtysh.conf + */ ...
This is a hard no-go. vtysh.conf contains authentication-related options which can be used together with setting vtysh SGID to quaggavty. E.g. you can set it up like this:
./configure --with-pam
-rwx--s--x. root quaggavty /usr/bin/vtysh srwxrwx---. quagga quaggavty /var/run/quagga/zebra.vty
/etc/pam.d/quagga: auth sufficient pam_group.so group=netadmins auth sufficient pam_group.so group=sysadmins auth required pam_deny.so
Now users that are in the "netadmins" or "sysadmins" group can use vtysh to access zebra config.
BUT.
vtysh.conf has a "username XXX no-password" option which disables PAM.
And, with your change, the user can supply their own vtysh.conf. With a line "username myuser no-password". Now they can access zebra without being in either of these groups...
... Congratulations, you created a security issue :)
Crap. Any suggestion on how to get this done? Location is unknown at compile time. Only thought I have is to only allow the override if run as root? Any better idea?
(Bottom line: the file location of vtysh.conf can *never* be a command line option if vtysh is installed SGID or SUID. You could try checking if it is SGID/SUID and ignore the option.)
(Note: I even recently updated the documentation on this, see doc/vtysh.texi. It says "No security guarantees are made for this configuration", but still that doesn't mean we should break it further.)
+++ b/lib/privs.c ... - if (zprivs_state.zgid) + /* change gid only if we changed uid - otherwise skip */ + if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid)) ... - if (zprivs_state.zgid) + /* change gid only if we changed uid - otherwise skip */ + if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid))
Both of these won't do; if someone starts a daemon with "-u root", it should still apply its group settings. Need a gid != current gid check.
Ack.
+++ b/ospfd/ospf_main.c ... + snprintf(pidfile_temp, sizeof(pidfile_temp), "%s/ospfd-%d.pid", pid_file, instance ); + strncpy(pid_file, pidfile_temp, sizeof(pid_file));
strncpy is the wrong function to call (should be strlcpy), but it shouldn't even be there - just snprintf to pid_file directly.
Ack.
Also, normally, socket path options on other daemons use full paths as arguments, not directory paths. Can we rename it to --vty_socket_dir?
No problem. - Martin
On Sun, Dec 11, 2016 at 04:29:08AM -0800, Martin Winter wrote:
Got all the required changes from Renato and have now a branch with all the Snapcraft parts ready for merge. This includes code to modify the main Quagga and (in the snapcraft subdir) all the needed files to build a snap.
Doc / Package files will need one more round to adjust mainly for the name (once we settle on something)
Branch is snapcraft_v2
Main changes:
- Snap packages are only allowed to write into their own mounted container and the filenames are not known until the package is installed. There are now new —vty_socket cli options to specify the location for the vty socket instead of using the compile-time path. (Plus —ctl_socket for the extra LDP socket and —config_dir for vtysh)
- Snap packages can’t even read files outside their directories. Getting the homedir from the password file isn’t possible. Using now HOME env variable and only fall back to passed file if it doesn’t exits
- Snap packages can’t SETUID or SETGID. They always run under root. There is now a check for UID and GID and the change only happens if it’s not already running under the requested User/Group
- Martin
_______________________________________________ cmaster-next mailing list cmaster-next@lists.nox.tf https://lists.nox.tf/listinfo/cmaster-next
On Thu, Dec 15, 2016 at 05:06:36PM +0700, Martin Winter wrote:
On 15 Dec 2016, at 0:41, David Lamparter wrote:
This is a hard no-go. vtysh.conf contains authentication-related options which can be used together with setting vtysh SGID to quaggavty. [...]
Crap.
Any suggestion on how to get this done? Location is unknown at compile time.
Only thought I have is to only allow the override if run as root? Any better idea?
I think we need something like: int restricted = (getuid() != geteuid()) || (getgid() != getegid()); ... if (!restricted) ... We can also use that for restricting other options, though I think we're mostly OK there. We should add access() calls on markfile & dryru, because we also have "arbitrary file reading" vulnerabilities there. VTYSH_LOG is also a big problem. All in all, we are not secure for vtysh-as-SGID setups to begin with, so this didn't make it much worse, but I don't want to make it slightly worse either... -David
On 16 Dec 2016, at 4:41, David Lamparter wrote:
On Thu, Dec 15, 2016 at 05:06:36PM +0700, Martin Winter wrote:
On 15 Dec 2016, at 0:41, David Lamparter wrote:
This is a hard no-go. vtysh.conf contains authentication-related options which can be used together with setting vtysh SGID to quaggavty. [...]
Crap.
Any suggestion on how to get this done? Location is unknown at compile time.
Only thought I have is to only allow the override if run as root? Any better idea?
I think we need something like:
int restricted = (getuid() != geteuid()) || (getgid() != getegid()); ... if (!restricted) ...
So if I understand you correctly, I’ll add such a check and only parse the vtysh.conf location if this check passes - otherwise ignore it (or complain and bail?) - Martin
We can also use that for restricting other options, though I think we're mostly OK there. We should add access() calls on markfile & dryru, because we also have "arbitrary file reading" vulnerabilities there.
VTYSH_LOG is also a big problem.
All in all, we are not secure for vtysh-as-SGID setups to begin with, so this didn't make it much worse, but I don't want to make it slightly worse either...
-David
participants (5)
-
Christian Franke -
David Lamparter -
David Lamparter -
Martin Winter -
olivier.dugeon@orange.com