ia64/xen-unstable

changeset 16193:b28ae5f00553

xenmon: Fix security vulnerability CVE-2007-3919.

The xenbaked daemon and xenmon utility communicate via a mmap'ed
shared file. Since this file is located in /tmp, unprivileged users
can cause arbitrary files to be truncated by creating a symlink from
the well-known /tmp filename to e.g., /etc/passwd.

The fix is to place the shared file in a directory to which only root
should have access (in this case /var/run/).

This bug was reported, and the fix suggested, by Steve Kemp
<skx@debian.org>. Thanks!

Signed-off-by: Keir Fraser <keir@xensource.com>
author Keir Fraser <keir@xensource.com>
date Tue Oct 23 09:26:43 2007 +0100 (2007-10-23)
parents 118a21c66fd5
children 5a213170b06e
files tools/xenmon/xenbaked.c tools/xenmon/xenmon.py
line diff
     1.1 --- a/tools/xenmon/xenbaked.c	Mon Oct 22 21:06:11 2007 +0100
     1.2 +++ b/tools/xenmon/xenbaked.c	Tue Oct 23 09:26:43 2007 +0100
     1.3 @@ -589,7 +589,7 @@ error_t cmd_parser(int key, char *arg, s
     1.4      return 0;
     1.5  }
     1.6  
     1.7 -#define SHARED_MEM_FILE "/tmp/xenq-shm"
     1.8 +#define SHARED_MEM_FILE "/var/run/xenq-shm"
     1.9  void alloc_qos_data(int ncpu)
    1.10  {
    1.11      int i, n, pgsize, off=0;
     2.1 --- a/tools/xenmon/xenmon.py	Mon Oct 22 21:06:11 2007 +0100
     2.2 +++ b/tools/xenmon/xenmon.py	Tue Oct 23 09:26:43 2007 +0100
     2.3 @@ -46,7 +46,7 @@ ST_QDATA = "%dQ" % (6*NDOMAINS + 4)
     2.4  QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
     2.5  
     2.6  # location of mmaped file, hard coded right now
     2.7 -SHM_FILE = "/tmp/xenq-shm"
     2.8 +SHM_FILE = "/var/run/xenq-shm"
     2.9  
    2.10  # format strings
    2.11  TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"