Only allow 'stderr' log output when running setuid (CVE-2013-4400)

We must not allow file/syslog/journald log outputs when running
setuid since they can be abused to do bad things. In particular
the 'file' output can be used to overwrite files.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/util/virlog.c b/src/util/virlog.c
index 8a688fde0262523b13edc80821b4b2a14fa94629..997d582c75b850b78d331648b71d8fe9cc15f782 100644 (file)
--- a/src/util/virlog.c
+++ b/src/util/virlog.c
@@ -1324,6 +1324,9 @@ int virLogPriorityFromSyslog(int priority ATTRIBUTE_UNUSED)
  * Multiple output can be defined in a single @output, they just need to be
  * separated by spaces.
  *
+ * If running in setuid mode, then only the 'stderr' output will
+ * be allowed
+ *
  * Returns the number of output parsed and installed or -1 in case of error
  */
 int
@@ -1335,6 +1338,7 @@ virLogParseOutputs(const char *outputs)
     virLogPriority prio;
     int ret = -1;
     int count = 0;
+    bool isSUID = virIsSUID();
 
     if (cur == NULL)
         return -1;
@@ -1354,6 +1358,8 @@ virLogParseOutputs(const char *outputs)
             if (virLogAddOutputToStderr(prio) == 0)
                 count++;
         } else if (STREQLEN(cur, "syslog", 6)) {
+            if (isSUID)
+                goto cleanup;
             cur += 6;
             if (*cur != ':')
                 goto cleanup;
@@ -1371,6 +1377,8 @@ virLogParseOutputs(const char *outputs)
             VIR_FREE(name);
 #endif /* HAVE_SYSLOG_H */
         } else if (STREQLEN(cur, "file", 4)) {
+            if (isSUID)
+                goto cleanup;
             cur += 4;
             if (*cur != ':')
                 goto cleanup;
@@ -1391,6 +1399,8 @@ virLogParseOutputs(const char *outputs)
             VIR_FREE(name);
             VIR_FREE(abspath);
         } else if (STREQLEN(cur, "journald", 8)) {
+            if (isSUID)
+                goto cleanup;
             cur += 8;
 #if USE_JOURNALD
             if (virLogAddOutputToJournald(prio) == 0)