From: Daniel P. Berrange Date: Wed, 9 Oct 2013 09:59:36 +0000 (+0100) Subject: Only allow 'stderr' log output when running setuid (CVE-2013-4400) X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=8c3586ea755c40d5e01b22cb7b5c1e668cdec994;p=libvirt.git Only allow 'stderr' log output when running setuid (CVE-2013-4400) We must not allow file/syslog/journald log outputs when running setuid since they can be abused to do bad things. In particular the 'file' output can be used to overwrite files. Signed-off-by: Daniel P. Berrange --- diff --git a/src/util/virlog.c b/src/util/virlog.c index 8a688fde02..997d582c75 100644 --- a/src/util/virlog.c +++ b/src/util/virlog.c @@ -1324,6 +1324,9 @@ int virLogPriorityFromSyslog(int priority ATTRIBUTE_UNUSED) * Multiple output can be defined in a single @output, they just need to be * separated by spaces. * + * If running in setuid mode, then only the 'stderr' output will + * be allowed + * * Returns the number of output parsed and installed or -1 in case of error */ int @@ -1335,6 +1338,7 @@ virLogParseOutputs(const char *outputs) virLogPriority prio; int ret = -1; int count = 0; + bool isSUID = virIsSUID(); if (cur == NULL) return -1; @@ -1354,6 +1358,8 @@ virLogParseOutputs(const char *outputs) if (virLogAddOutputToStderr(prio) == 0) count++; } else if (STREQLEN(cur, "syslog", 6)) { + if (isSUID) + goto cleanup; cur += 6; if (*cur != ':') goto cleanup; @@ -1371,6 +1377,8 @@ virLogParseOutputs(const char *outputs) VIR_FREE(name); #endif /* HAVE_SYSLOG_H */ } else if (STREQLEN(cur, "file", 4)) { + if (isSUID) + goto cleanup; cur += 4; if (*cur != ':') goto cleanup; @@ -1391,6 +1399,8 @@ virLogParseOutputs(const char *outputs) VIR_FREE(name); VIR_FREE(abspath); } else if (STREQLEN(cur, "journald", 8)) { + if (isSUID) + goto cleanup; cur += 8; #if USE_JOURNALD if (virLogAddOutputToJournald(prio) == 0)