865 |
I replaced some types with 'unsigned int'. |
I replaced some types with 'unsigned int'. |
866 |
|
|
867 |
Version 1.4 2007/04/01 x86_64 support release. |
Version 1.4 2007/04/01 x86_64 support release. |
868 |
|
|
869 |
|
Fix 2007/04/18 |
870 |
|
|
871 |
|
@ Change argv[0] checking rule. |
872 |
|
|
873 |
|
I was comparing the basename of symbolic link's pathname and argv[0]. |
874 |
|
Since execute permission check and domain transition are done |
875 |
|
based on realpath while argv[0] check is done based on the symlink's |
876 |
|
pathname and argv[0], this specification will allow attackers behave |
877 |
|
as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are |
878 |
|
links to /sbin/busybox" and "the attacker is permitted to create |
879 |
|
a symlink named ~/cat that points to /bin/ls" and "the attacker is |
880 |
|
permitted to run /bin/ls". |
881 |
|
So, I changed to compare the basename of realpath and argv[0]. |
882 |
|
Also, I moved the location to compare before processing |
883 |
|
"aggregator" directive so that |
884 |
|
"aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp" |
885 |
|
won't cause the mismatch of the basename of realpath and argv[0]. |
886 |
|
|
887 |
|
If /bin/ls is a symlink to /sbin/busybox, then |
888 |
|
creating a symlink named ~/cat that points to /bin/ls and |
889 |
|
executing ~/cat won't work as expected because permission check and |
890 |
|
domain transition are done using /sbin/busybox (realpath of /bin/ls) |
891 |
|
and will be rejected since the administrator won't grant |
892 |
|
"1 /sbin/busybox". |