Karel Zak [Thu, 10 Feb 2022 11:03:17 +0000 (12:03 +0100)]
chsh, chfn: remove readline support [CVE-2022-0563]
The readline library uses INPUTRC= environment variable to get a path
to the library config file. When the library cannot parse the
specified file, it prints an error message containing data from the
file.
Unfortunately, the library does not use secure_getenv() (or a similar
concept) to avoid vulnerabilities that could occur if set-user-ID or
set-group-ID programs.
Reported-by: Rory Mackie <rory.mackie@trailofbits.com> Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 25 Jan 2022 10:04:13 +0000 (11:04 +0100)]
build-sys: generate all man pages for distribution tarball
Now "make dist" and "make distcheck" follows autoconf. It means that
disabled tools or tools that cannot compile are ignored, and man-pages
for these tools are not generated. This is a problem for people
without asciidoctor (adoc -> man generator).
Fixes: https://github.com/util-linux/util-linux/issues/1577 Signed-off-by: Karel Zak <kzak@redhat.com>
This issue is related to parsing the /proc/self/mountinfo file allows an
unprivileged user to unmount other user's filesystems that are either
world-writable themselves or mounted in a world-writable directory.
The support for "(deleted)" is no more necessary as the Linux kernel does
not use it in /proc/self/mountinfo and /proc/self/mount files anymore.
sys-utils/prlimit.c:467:16: warning: 'hard' may be used uninitialized in this function [-Wmaybe-uninitialized]
lim->rlim_max = hard;
~~~~~~~~~~~~~~^~~~~~
sys-utils/prlimit.c:456:15: note: 'hard' was declared here
rlim_t soft, hard;
^~~~
sys-utils/prlimit.c:466:16: warning: 'soft' may be used uninitialized in this function [-Wmaybe-uninitialized]
lim->rlim_cur = soft;
~~~~~~~~~~~~~~^~~~~~
sys-utils/prlimit.c:456:9: note: 'soft' was declared here
rlim_t soft, hard;
^~~~
References: https://github.com/karelzak/util-linux/issues/1406 Signed-off-by: Karel Zak <kzak@redhat.com>
Since these functions are only used internally, we can make sure they
are being used correctly, and assert() helps in catching remaining
issues. Usage of each changed function has been reviewed:
For xgetpwnam:
- chsh(1) only calls it if a username has been set
- login(1) only calls it if username has been set and is not empty
- su(1) always initializes new_user to "root"
- unshare(1) calls get_user with optarg, so always set as well
For xgetgrnam:
- unshare(1) calls get_group with optarg
For xgetpwuid:
- chsh(1) passes a stack allocated struct for struct passwd
It defined its own xgetlogin, which queried geteuid() instead of getuid(),
with a fallback to "<someone>" when lookup fails. This has been the case
since the function was introduced in 019b97024fde3f07eaf541eef990762483369a11, so geteuid() has always been
used. Since using geteuid for identification isn't consistent with the
rest of util-linux, switching to xgetlogin(), which uses getuid(),
should be correct.
getlogin(3) shouldn't be used for identification here. This also removes
the bug where a missing entry for getuid() in passwd database wouldn't
print a warning, because whom would be set to "???".
For consistency, switch to "<someone>" when pw look up fails.
Per the man page, it shouldn't be used for security purposes. This is an
issue especially on musl, where getlogin is implemented as
getenv("LOGNAME"). Since xgetlogin is being used as user identity in su(1), to
set PAM_RUSER, we simply switch to always using getpwuid(getuid()).
Karel Zak [Thu, 29 Jul 2021 18:37:32 +0000 (20:37 +0200)]
libmount: don't use setgroups at all()
It's probably good idea to call setgroups() to cleanup groups,
but it introduces a regression as some mount helpers depend on
supplementary groups like "network" etc.
Fixes: https://github.com/karelzak/util-linux/issues/1398 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 27 Jul 2021 09:10:53 +0000 (11:10 +0200)]
libfdisk: (dos) don't ignore MBR+FAT use-case
Since libblkid commit 751eca28fcfa1e325770904d7181b22e48c72b29 it does
not ignore FAT on whole-disks, so now libfdisk sees collision between
FAT and MBR. It's fine to report the collision to users, but we should
not ignore the MBR.
Thomas Abraham [Thu, 22 Jul 2021 19:43:13 +0000 (15:43 -0400)]
blockdev: allow for larger values for start sector
commit 9147d2ad8a ("blockdev: Don't fail on missing start sector") limits
the size of the start sector to 10 digits.
Multi-terrabyte devices can have partitions with a start sector larger than
10 digits, which will cause an sprintf() to abort due to overflowing the buffer.
Karel Zak [Thu, 22 Jul 2021 09:03:54 +0000 (11:03 +0200)]
lslogins: use sd_journal_get_data() in proper way
man sd_journal_get_data:
The returned data is in a read-only memory map and is only valid until the next invocation
of sd_journal_get_data().
It means that use data after 3x sd_journal_get_data() is really bad
idea. It also seems better to not assume the fields are zero
terminated as journal API works with void* and size_t to address the
data.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1984704 Signed-off-by: Karel Zak <kzak@redhat.com>
fdisk: move reorder diag messages to fdisk_reorder_partitions()
The function fdisk_reorder_partitions() is also used in sfdisk and cfdisk
and these commands assume info/warn messages from the library. So move all
messages from fdisk to fdisk_reorder_partitions().
verity: fix verity.roothashsig only working as last parameter
Parsing of verity.roothashsig did not take into consideration that other options
might follow, and used the whole string as a file path. But mnt_optstr_get_option
just returns a pointer in the mount option string, it doesn't extract it, so it
would have other subsequent options too. The length parameter has to be used.
FAT32 can be formatted with boot sign 0x28 to indicate that only serial id
is present or with boot sign 0x29 which indicates that both boot label and
serial id is present.
libblkid: vfat: Fix reading FAT16 boot label and serial id
Older FAT16 variants do not have to contain boot label or serial id. Boot
sign 0x28 indicates that only serial id is present and boot sign 0x29
indicates that both boot label and serial id is present. Other boot sign
values (e.g. zero) indicates older FAT16 variant without boot label and
boot sign.
dlopen is treated as a dependency, but that's not quite right, it
should be an alternative way to link to libcryptsetup.
Search for it only if cryptsetup is not disabled, and if the cryptsetup-dlopen
is explicitly set to enabled. If it is, do not link to libcryptsetup.
Add cryptsetup support status to the meson summary.
It should set HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY, rather than HAVE_CRYPTSETUP
which enables the verity features, as it needs to detect the availability of
the crypt_activate_by_signed_key API
Ross Burton [Thu, 1 Jul 2021 19:44:31 +0000 (20:44 +0100)]
test/eject: guard asan LD_PRELOAD with use-system-commands check
This test tries to add asan to LD_PRELOAD because the just-built eject
will call the host /bin/umount, and apparently asan doesn't like this.
However, if ldd isn't present, this fails as the path to asan is the
error message saying that ldd isn't present.
As the asan workaround is only needed when executing the binaries that
have just been built and not the system binaries, only use it if the
test is on the built binaries.
Ross Burton [Tue, 29 Jun 2021 15:34:20 +0000 (16:34 +0100)]
tests: don't hardcode /bin/kill in the kill tests
If the 'kill' test is executed with --use-system-commands, it calls
/bin/kill to avoid the shell's own kill command being invoked.
However, this doesn't work if the kill we want to test isn't in fact in
/bin. Instead, use $(which kill) to find a kill on the PATH and call
that directly.
Karel Zak [Wed, 23 Jun 2021 09:37:31 +0000 (11:37 +0200)]
more: fix null-pointer dereference
The command allows executing arbitrary shell commands while viewing a file by
entering '!' followed by the command. Entering a command that contains a '%',
'!', or '\' causes a segmentation violation.
The same more(1) function has a problem when not file is specified (cat
/etc/passwd | more) on command line.
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1975153 Signed-off-by: Karel Zak <kzak@redhat.com>
The exclusivity between the {fscontext, defcontext} and context options
was removed in kernel 2.6.25[1]. No specific verification on these
options is done in mount(8)[2].
projects / thirdparty / util-linux.git / log
