[cmaster-next] Snapcraft_v2 branch ready for merge into stable/2.0

[Martin Winter]

On 16 Dec 2016, at 4:41, David Lamparter wrote:

> On Thu, Dec 15, 2016 at 05:06:36PM +0700, Martin Winter wrote:
>> On 15 Dec 2016, at 0:41, David Lamparter wrote:
>>> This is a hard no-go.  vtysh.conf contains authentication-related
>>> options which can be used together with setting vtysh SGID to
>>> quaggavty.
> [...]
>>
>> Crap.
>>
>> Any suggestion on how to get this done? Location is unknown at compile
>> time.
>>
>> Only thought I have is to only allow the override if run as root?
>> Any better idea?
>
> I think we need something like:
>
> int restricted = (getuid() != geteuid()) || (getgid() != getegid());
> ...
> if (!restricted) ...

So if I understand you correctly, I’ll add such a check and only
parse the vtysh.conf location if this check passes - otherwise ignore
it (or complain and bail?)

- Martin

>
> We can also use that for restricting other options, though I think we're
> mostly OK there.  We should add access() calls on markfile & dryru,
> because we also have "arbitrary file reading" vulnerabilities there.
>
> VTYSH_LOG is also a big problem.
>
> All in all, we are not secure for vtysh-as-SGID setups to begin with, so
> this didn't make it much worse, but I don't want to make it slightly
> worse either...
>
>
> -David