diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2011-07-24 19:17:25 -0700 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2011-07-24 19:17:25 -0700 |
| commit | af725c50c2930485947bd958dbdf984faf8fc1ba (patch) | |
| tree | 8c11ec9f583b41f39648a0b0bf92d04797fdf8e9 | |
| parent | 1d229a36f06962ea8555afd0e657af9364c0e6d6 (diff) | |
| download | libcap-af725c50c2930485947bd958dbdf984faf8fc1ba.tar.gz | |
Change directory to "/" after --chroot operation.
Thanks to Steve Grubb for suggesting this. He wrote:
=========
I was reviewing something recently and discovered a problem in capsh. The capsh
program has a --chroot command line option. Inspecting the code shows that it does not
do a chdir("/") after calling chroot. This means that '.' is outside the chroot.
Additional info:
http://cwe.mitre.org/data/definitions/243.html
=========
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
| -rw-r--r-- | libcap/cap_proc.c | 2 | ||||
| -rw-r--r-- | progs/capsh.c | 8 | ||||
| -rwxr-xr-x | progs/quicktest.sh | 6 |
3 files changed, 15 insertions, 1 deletions
diff --git a/libcap/cap_proc.c b/libcap/cap_proc.c index 6040c02..8ecb57a 100644 --- a/libcap/cap_proc.c +++ b/libcap/cap_proc.c @@ -4,6 +4,8 @@ * This file deals with getting and setting capabilities on processes. */ +#include <sys/prctl.h> + #include "libcap.h" cap_t cap_get_proc(void) diff --git a/progs/capsh.c b/progs/capsh.c index 4c32279..52336d7 100644 --- a/progs/capsh.c +++ b/progs/capsh.c @@ -278,10 +278,16 @@ int main(int argc, char *argv[], char *envp[]) perror("unable to lower CAP_SYS_CHROOT"); exit(1); } + /* + * Given we are now in a new directory tree, its good practice + * to start off in a sane location + */ + status = chdir("/"); + cap_free(orig); if (status != 0) { - fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9); + fprintf(stderr, "Unable to chroot/chdir to [%s]", argv[i]+9); exit(1); } } else if (!memcmp("--secbits=", argv[i], 10)) { diff --git a/progs/quicktest.sh b/progs/quicktest.sh index 5959da9..be3fa7d 100755 --- a/progs/quicktest.sh +++ b/progs/quicktest.sh @@ -21,6 +21,7 @@ fail_capsh () { echo -n "EXPECT FAILURE: " try_capsh "$@" if [ $? -eq 1 ]; then + echo "[WHICH MEANS A PASS!]" return 0 else echo "Undesired result - aborting" @@ -132,3 +133,8 @@ fi # Max lockdown pass_capsh --keep=1 --user=nobody --caps=cap_setpcap=ep \ --drop=all --secbits=0x2f --caps= --print + +# Verify we can chroot +pass_capsh --chroot=$(/bin/pwd) +pass_capsh --chroot=$(/bin/pwd) == +fail_capsh --chroot=$(/bin/pwd) -- -c "echo oops" |