diff options
Diffstat (limited to 'meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch')
-rw-r--r-- | meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch new file mode 100644 index 0000000000..f02f62b772 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch | |||
@@ -0,0 +1,182 @@ | |||
1 | From 0a42426d797406b4b01a0d9c13bb759c2629d108 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
3 | Date: Wed, 7 Oct 2020 11:15:05 +0200 | ||
4 | Subject: [PATCH] pager: make pager secure when under euid is changed or | ||
5 | explicitly requested | ||
6 | |||
7 | The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about | ||
8 | less now), and we automatically enable secure mode in certain cases, but not | ||
9 | otherwise. | ||
10 | |||
11 | This approach is more nuanced, but should provide a better experience for | ||
12 | users: | ||
13 | |||
14 | - Previusly we would set LESSSECURE=1 and trust the pager to make use of | ||
15 | it. But this has an effect only on less. We need to not start pagers which | ||
16 | are insecure when in secure mode. In particular more is like that and is a | ||
17 | very popular pager. | ||
18 | |||
19 | - We don't enable secure mode always, which means that those other pagers can | ||
20 | reasonably used. | ||
21 | |||
22 | - We do the right thing by default, but the user has ultimate control by | ||
23 | setting SYSTEMD_PAGERSECURE. | ||
24 | |||
25 | Fixes #5666. | ||
26 | |||
27 | v2: | ||
28 | - also check $PKEXEC_UID | ||
29 | |||
30 | v3: | ||
31 | - use 'sd_pid_get_owner_uid() != geteuid()' as the condition | ||
32 | |||
33 | CVE: CVE-2023-26604 | ||
34 | Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/0a42426d797406b4b01a0d9c13bb759c2629d108] | ||
35 | Comments: Hunk refreshed | ||
36 | Signed-off-by: rajmohan r <rajmohan.r@kpit.com> | ||
37 | --- | ||
38 | man/less-variables.xml | 30 +++++++++++++++---- | ||
39 | src/shared/pager.c | 63 ++++++++++++++++++++++++++------------- | ||
40 | 2 files changed, 66 insertions(+), 27 deletions(-) | ||
41 | |||
42 | diff --git a/man/less-variables.xml b/man/less-variables.xml | ||
43 | index c52511c..049e9f7 100644 | ||
44 | --- a/man/less-variables.xml | ||
45 | +++ b/man/less-variables.xml | ||
46 | @@ -65,12 +65,30 @@ | ||
47 | </varlistentry> | ||
48 | |||
49 | <varlistentry id='lesssecure'> | ||
50 | - <term><varname>$SYSTEMD_LESSSECURE</varname></term> | ||
51 | - | ||
52 | - <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment | ||
53 | - variable when invoking the pager, which controls the "secure" mode of less (which disables commands | ||
54 | - such as <literal>|</literal> which allow to easily shell out to external command lines). By default | ||
55 | - less secure mode is enabled, with this setting it may be disabled.</para></listitem> | ||
56 | + <term><varname>$SYSTEMD_PAGERSECURE</varname></term> | ||
57 | + | ||
58 | + <listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if | ||
59 | + false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled | ||
60 | + if the effective UID is not the same as the owner of the login session, see <citerefentry | ||
61 | + project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry> and | ||
62 | + <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>. | ||
63 | + In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall | ||
64 | + disable commands that open or create new files or start new subprocesses. When | ||
65 | + <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement | ||
66 | + secure mode will not be used. (Currently only | ||
67 | + <citerefentry><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> implements | ||
68 | + secure mode.)</para> | ||
69 | + | ||
70 | + <para>Note: when commands are invoked with elevated privileges, for example under <citerefentry | ||
71 | + project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or | ||
72 | + <citerefentry | ||
73 | + project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care | ||
74 | + must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the | ||
75 | + pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname> | ||
76 | + or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note | ||
77 | + that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be | ||
78 | + honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completly | ||
79 | + disable the pager using <option>--no-pager</option> instead.</para></listitem> | ||
80 | </varlistentry> | ||
81 | |||
82 | <varlistentry id='colors'> | ||
83 | diff --git a/src/shared/pager.c b/src/shared/pager.c | ||
84 | index a3b6576..a72d9ea 100644 | ||
85 | --- a/src/shared/pager.c | ||
86 | +++ b/src/shared/pager.c | ||
87 | @@ -8,6 +8,8 @@ | ||
88 | #include <sys/prctl.h> | ||
89 | #include <unistd.h> | ||
90 | |||
91 | +#include "sd-login.h" | ||
92 | + | ||
93 | #include "copy.h" | ||
94 | #include "env-util.h" | ||
95 | #include "fd-util.h" | ||
96 | @@ -164,25 +166,42 @@ int pager_open(PagerFlags flags) { | ||
97 | } | ||
98 | |||
99 | /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out | ||
100 | - * privileged stuff. */ | ||
101 | - r = getenv_bool("SYSTEMD_LESSSECURE"); | ||
102 | - if (r == 0) { /* Remove env var if off */ | ||
103 | - if (unsetenv("LESSSECURE") < 0) { | ||
104 | - log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m"); | ||
105 | - _exit(EXIT_FAILURE); | ||
106 | - } | ||
107 | - } else { | ||
108 | - /* Set env var otherwise */ | ||
109 | + * privileged stuff. If the user set $SYSTEMD_PAGERSECURE, trust their configuration of the | ||
110 | + * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE | ||
111 | + * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we | ||
112 | + * know to be good. */ | ||
113 | + int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE"); | ||
114 | + bool trust_pager = use_secure_mode >= 0; | ||
115 | + if (use_secure_mode == -ENXIO) { | ||
116 | + uid_t uid; | ||
117 | + | ||
118 | + r = sd_pid_get_owner_uid(0, &uid); | ||
119 | if (r < 0) | ||
120 | - log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m"); | ||
121 | + log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m"); | ||
122 | |||
123 | - if (setenv("LESSSECURE", "1", 1) < 0) { | ||
124 | - log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m"); | ||
125 | - _exit(EXIT_FAILURE); | ||
126 | - } | ||
127 | + use_secure_mode = r < 0 || uid != geteuid(); | ||
128 | + | ||
129 | + } else if (use_secure_mode < 0) { | ||
130 | + log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m"); | ||
131 | + use_secure_mode = true; | ||
132 | } | ||
133 | |||
134 | - if (pager_args) { | ||
135 | + /* We generally always set variables used by less, even if we end up using a different pager. | ||
136 | + * They shouldn't hurt in any case, and ideally other pagers would look at them too. */ | ||
137 | + if (use_secure_mode) | ||
138 | + r = setenv("LESSSECURE", "1", 1); | ||
139 | + else | ||
140 | + r = unsetenv("LESSSECURE"); | ||
141 | + if (r < 0) { | ||
142 | + log_error_errno(errno, "Failed to adjust environment variable LESSSECURE: %m"); | ||
143 | + _exit(EXIT_FAILURE); | ||
144 | + } | ||
145 | + | ||
146 | + if (trust_pager && pager_args) { /* The pager config might be set globally, and we cannot | ||
147 | + * know if the user adjusted it to be appropriate for the | ||
148 | + * secure mode. Thus, start the pager specified through | ||
149 | + * envvars only when $SYSTEMD_PAGERSECURE was explicitly set | ||
150 | + * as well. */ | ||
151 | r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false); | ||
152 | if (r < 0) { | ||
153 | log_error_errno(r, "Failed to write pager name to socket: %m"); | ||
154 | @@ -194,13 +213,14 @@ int pager_open(PagerFlags flags) { | ||
155 | "Failed to execute '%s', using fallback pagers: %m", pager_args[0]); | ||
156 | } | ||
157 | |||
158 | - /* Debian's alternatives command for pagers is | ||
159 | - * called 'pager'. Note that we do not call | ||
160 | - * sensible-pagers here, since that is just a | ||
161 | - * shell script that implements a logic that | ||
162 | - * is similar to this one anyway, but is | ||
163 | - * Debian-specific. */ | ||
164 | + /* Debian's alternatives command for pagers is called 'pager'. Note that we do not call | ||
165 | + * sensible-pagers here, since that is just a shell script that implements a logic that is | ||
166 | + * similar to this one anyway, but is Debian-specific. */ | ||
167 | FOREACH_STRING(exe, "pager", "less", "more") { | ||
168 | + /* Only less implements secure mode right now. */ | ||
169 | + if (use_secure_mode && !streq(exe, "less")) | ||
170 | + continue; | ||
171 | + | ||
172 | r = loop_write(exe_name_pipe[1], exe, strlen(exe) + 1, false); | ||
173 | if (r < 0) { | ||
174 | log_error_errno(r, "Failed to write pager name to socket: %m"); | ||
175 | @@ -211,6 +231,7 @@ int pager_open(PagerFlags flags) { | ||
176 | "Failed to execute '%s', using next fallback pager: %m", exe); | ||
177 | } | ||
178 | |||
179 | + /* Our builtin is also very secure. */ | ||
180 | r = loop_write(exe_name_pipe[1], "(built-in)", strlen("(built-in)") + 1, false); | ||
181 | if (r < 0) { | ||
182 | log_error_errno(r, "Failed to write pager name to socket: %m"); | ||