| 863 |
the compiler showing warning messages about size of data types. |
the compiler showing warning messages about size of data types. |
| 864 |
Since size of data types may mismatch for sscanf(), |
Since size of data types may mismatch for sscanf(), |
| 865 |
I replaced some types with 'unsigned int'. |
I replaced some types with 'unsigned int'. |
| 866 |
|
|
| 867 |
|
Version 1.4 2007/04/01 x86_64 support release. |
| 868 |
|
|
| 869 |
|
Fix 2007/04/18 |
| 870 |
|
|
| 871 |
|
@ Change argv[0] checking rule. |
| 872 |
|
|
| 873 |
|
I was comparing the basename of symbolic link's pathname and argv[0]. |
| 874 |
|
Since execute permission check and domain transition are done |
| 875 |
|
based on realpath while argv[0] check is done based on the symlink's |
| 876 |
|
pathname and argv[0], this specification will allow attackers behave |
| 877 |
|
as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are |
| 878 |
|
links to /sbin/busybox" and "the attacker is permitted to create |
| 879 |
|
a symlink named ~/cat that points to /bin/ls" and "the attacker is |
| 880 |
|
permitted to run /bin/ls". |
| 881 |
|
So, I changed to compare the basename of realpath and argv[0]. |
| 882 |
|
Also, I moved the location to compare before processing |
| 883 |
|
"aggregator" directive so that |
| 884 |
|
"aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp" |
| 885 |
|
won't cause the mismatch of the basename of realpath and argv[0]. |
| 886 |
|
|
| 887 |
|
If /bin/ls is a symlink to /sbin/busybox, then |
| 888 |
|
creating a symlink named ~/cat that points to /bin/ls and |
| 889 |
|
executing ~/cat won't work as expected because permission check and |
| 890 |
|
domain transition are done using /sbin/busybox (realpath of /bin/ls) |
| 891 |
|
and will be rejected since the administrator won't grant |
| 892 |
|
"1 /sbin/busybox". |
TOMOYO
Parent Directory
Revision Log
Patch