Since we call dracut directly on current working directory "." so it is possible to trick root to call fake code.
Thus move to use abosolute path instead.
Signed-off-by: Dave Young dyoung@redhat.com --- mkdumprd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Index: kexec-tools/mkdumprd =================================================================== --- kexec-tools.orig/mkdumprd +++ kexec-tools/mkdumprd @@ -17,6 +17,7 @@ SAVE_PATH=$(grep ^path $conf_file| cut - [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH # strip the duplicated "/" SAVE_PATH=$(echo $SAVE_PATH | tr -s /) +DRACUT_PATH=/usr/bin
is_wdt_addition_needed() { local active @@ -457,7 +458,7 @@ if ! is_fadump_capable; then add_dracut_arg "--no-hostonly-default-device" fi
-dracut "${dracut_args[@]}" "$@" +${DRACUT_PATH}/dracut "${dracut_args[@]}" "$@" _rc=$? sync exit $_rc
On Thu, Nov 9, 2017 at 10:46 AM, Dave Young dyoung@redhat.com wrote:
Since we call dracut directly on current working directory "." so it is possible to trick root to call fake code.
Thus move to use abosolute path instead.
^^^^^^^^ Minor nitpick: absolute
Signed-off-by: Dave Young dyoung@redhat.com
mkdumprd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Index: kexec-tools/mkdumprd
--- kexec-tools.orig/mkdumprd +++ kexec-tools/mkdumprd @@ -17,6 +17,7 @@ SAVE_PATH=$(grep ^path $conf_file| cut - [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH # strip the duplicated "/" SAVE_PATH=$(echo $SAVE_PATH | tr -s /) +DRACUT_PATH=/usr/bin
is_wdt_addition_needed() { local active @@ -457,7 +458,7 @@ if ! is_fadump_capable; then add_dracut_arg "--no-hostonly-default-device" fi
-dracut "${dracut_args[@]}" "$@" +${DRACUT_PATH}/dracut "${dracut_args[@]}" "$@" _rc=$? sync exit $_rc
Good catch. This should be fixed as local users can trick the administrator into executing code as root.
Acked-by: Bhupesh Sharma bhsharma@redhat.com
Regards, Bhupesh
On 11/09/17 at 11:05am, Bhupesh Sharma wrote:
On Thu, Nov 9, 2017 at 10:46 AM, Dave Young dyoung@redhat.com wrote:
Since we call dracut directly on current working directory "." so it is possible to trick root to call fake code.
Thus move to use abosolute path instead.
^^^^^^^^
Minor nitpick: absolute
Will fix the typo when I apply it, thanks!
Signed-off-by: Dave Young dyoung@redhat.com
mkdumprd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Index: kexec-tools/mkdumprd
--- kexec-tools.orig/mkdumprd +++ kexec-tools/mkdumprd @@ -17,6 +17,7 @@ SAVE_PATH=$(grep ^path $conf_file| cut - [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH # strip the duplicated "/" SAVE_PATH=$(echo $SAVE_PATH | tr -s /) +DRACUT_PATH=/usr/bin
is_wdt_addition_needed() { local active @@ -457,7 +458,7 @@ if ! is_fadump_capable; then add_dracut_arg "--no-hostonly-default-device" fi
-dracut "${dracut_args[@]}" "$@" +${DRACUT_PATH}/dracut "${dracut_args[@]}" "$@" _rc=$? sync exit $_rc
Good catch. This should be fixed as local users can trick the administrator into executing code as root.
Acked-by: Bhupesh Sharma bhsharma@redhat.com
Regards, Bhupesh
Acked-by: Pingfan Liu piliu@redhat.com
----- Original Message -----
From: "Dave Young" dyoung@redhat.com To: kexec@lists.fedoraproject.org Sent: Thursday, November 9, 2017 1:16:54 PM Subject: [PATCH ] Use absolute path /usr/bin/dracut in mkdumprd
Since we call dracut directly on current working directory "." so it is possible to trick root to call fake code.
Thus move to use abosolute path instead.
Signed-off-by: Dave Young dyoung@redhat.com
mkdumprd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Index: kexec-tools/mkdumprd
--- kexec-tools.orig/mkdumprd +++ kexec-tools/mkdumprd @@ -17,6 +17,7 @@ SAVE_PATH=$(grep ^path $conf_file| cut - [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH # strip the duplicated "/" SAVE_PATH=$(echo $SAVE_PATH | tr -s /) +DRACUT_PATH=/usr/bin
is_wdt_addition_needed() { local active @@ -457,7 +458,7 @@ if ! is_fadump_capable; then add_dracut_arg "--no-hostonly-default-device" fi
-dracut "${dracut_args[@]}" "$@" +${DRACUT_PATH}/dracut "${dracut_args[@]}" "$@" _rc=$? sync exit $_rc
kexec mailing list -- kexec@lists.fedoraproject.org To unsubscribe send an email to kexec-leave@lists.fedoraproject.org
After reading the background of bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1510922
It is not a problem actually, sorry for the noise.
Although root set different "PATH" can lead to wrong script, but it is different with what the bug described "current working dir" and it is not a problem worth an update.
Thanks Dave
On 11/09/17 at 01:16pm, Dave Young wrote:
Since we call dracut directly on current working directory "." so it is possible to trick root to call fake code.
Thus move to use abosolute path instead.
Signed-off-by: Dave Young dyoung@redhat.com
mkdumprd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Index: kexec-tools/mkdumprd
--- kexec-tools.orig/mkdumprd +++ kexec-tools/mkdumprd @@ -17,6 +17,7 @@ SAVE_PATH=$(grep ^path $conf_file| cut - [ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH # strip the duplicated "/" SAVE_PATH=$(echo $SAVE_PATH | tr -s /) +DRACUT_PATH=/usr/bin
is_wdt_addition_needed() { local active @@ -457,7 +458,7 @@ if ! is_fadump_capable; then add_dracut_arg "--no-hostonly-default-device" fi
-dracut "${dracut_args[@]}" "$@" +${DRACUT_PATH}/dracut "${dracut_args[@]}" "$@" _rc=$? sync exit $_rc
kexec mailing list -- kexec@lists.fedoraproject.org To unsubscribe send an email to kexec-leave@lists.fedoraproject.org