]> git.ipfire.org Git - thirdparty/util-linux.git/commit
hwclock: make --date=argument less prone to injection
authorSami Kerola <kerolasa@iki.fi>
Wed, 27 Jul 2016 18:47:38 +0000 (19:47 +0100)
committerSami Kerola <kerolasa@iki.fi>
Sat, 4 Feb 2017 23:39:38 +0000 (23:39 +0000)
commit9c65888e823a1d54b7198f6e75919e7a13867bca
treeb9d1dca6a309cbd988dac56bf4327419cc1cb7c4
parent926ffe745162c7d794ec69593dee09730a767539
hwclock: make --date=argument less prone to injection

This change should not improve security much.  One hopes hwclock --set is
restricted for root only.  Where hwclock is allowed to run via sudo, or has
setuid setup, there is a pretty easy privilege escalation via subshell.

$ sudo ./hwclock --set --date='2000-10-20$(touch /tmp/hwclock.inject)'

Reviewed-by: J William Piggott <elseifthen@gmx.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
sys-utils/hwclock.c