Only allow 'stderr' log output when running setuid (CVE-2013-4400)

We must not allow file/syslog/journald log outputs when running setuid since they can be abused to do bad things. In particular the 'file' output can be used to overwrite files. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2024-10-05 05:45:46 +00:00 · 2013-10-09 10:59:36 +01:00 · 2013-10-09 10:59:36 +01:00 · 8c3586ea75
commit 8c3586ea75
parent ae53e5d10e
1 changed files with 10 additions and 0 deletions
--- a/src/util/virlog.c
+++ b/src/util/virlog.c
@ -1324,6 +1324,9 @@ int virLogPriorityFromSyslog(int priority ATTRIBUTE_UNUSED)
 * Multiple output can be defined in a single @output, they just need to be
 * separated by spaces.
 *
+ * If running in setuid mode, then only the 'stderr' output will
+ * be allowed
+ *
 * Returns the number of output parsed and installed or -1 in case of error
 */
 int
@ -1335,6 +1338,7 @@ virLogParseOutputs(const char *outputs)
    virLogPriority prio;
    int ret = -1;
    int count = 0;
+    bool isSUID = virIsSUID();

    if (cur == NULL)
        return -1;
@ -1354,6 +1358,8 @@ virLogParseOutputs(const char *outputs)
            if (virLogAddOutputToStderr(prio) == 0)
                count++;
        } else if (STREQLEN(cur, "syslog", 6)) {
+            if (isSUID)
+                goto cleanup;
            cur += 6;
            if (*cur != ':')
                goto cleanup;
@ -1371,6 +1377,8 @@ virLogParseOutputs(const char *outputs)
            VIR_FREE(name);
 #endif /* HAVE_SYSLOG_H */
        } else if (STREQLEN(cur, "file", 4)) {
+            if (isSUID)
+                goto cleanup;
            cur += 4;
            if (*cur != ':')
                goto cleanup;
@ -1391,6 +1399,8 @@ virLogParseOutputs(const char *outputs)
            VIR_FREE(name);
            VIR_FREE(abspath);
        } else if (STREQLEN(cur, "journald", 8)) {
+            if (isSUID)
+                goto cleanup;
            cur += 8;
 #if USE_JOURNALD
            if (virLogAddOutputToJournald(prio) == 0)