You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
186 lines
6.3 KiB
186 lines
6.3 KiB
autofs-5.1.0 - add config option to force use of program map stdvars |
|
|
|
From: Ian Kent <ikent@redhat.com> |
|
|
|
Enabling the extended environment (including $HOME, for example) for |
|
program maps opens automount(8) to a privilege escalation. |
|
|
|
Rather than just removing the entended environment a configuration |
|
option is added to disable it by default so that those who wish to |
|
use it can do so if they wish. |
|
--- |
|
CHANGELOG | 1 + |
|
include/defaults.h | 2 ++ |
|
lib/defaults.c | 12 ++++++++++++ |
|
man/autofs.5 | 5 +++++ |
|
man/autofs.conf.5.in | 9 +++++++++ |
|
modules/lookup_program.c | 14 +++++++++++++- |
|
redhat/autofs.conf.default.in | 11 +++++++++++ |
|
samples/autofs.conf.default.in | 11 +++++++++++ |
|
8 files changed, 64 insertions(+), 1 deletion(-) |
|
|
|
--- autofs-5.0.7.orig/CHANGELOG |
|
+++ autofs-5.0.7/CHANGELOG |
|
@@ -163,6 +163,7 @@ |
|
- ensure negative cache isn't updated on remount. |
|
- dont add wildcard to negative cache. |
|
- add a prefix to program map stdvars. |
|
+- add config option to force use of program map stdvars. |
|
|
|
25/07/2012 autofs-5.0.7 |
|
======================= |
|
--- autofs-5.0.7.orig/include/defaults.h |
|
+++ autofs-5.0.7/include/defaults.h |
|
@@ -30,6 +30,7 @@ |
|
#define DEFAULT_UMOUNT_WAIT "12" |
|
#define DEFAULT_BROWSE_MODE "1" |
|
#define DEFAULT_LOGGING "none" |
|
+#define DEFAULT_FORCE_STD_PROG_MAP_ENV "0" |
|
|
|
#define DEFAULT_LDAP_TIMEOUT "-1" |
|
#define DEFAULT_LDAP_NETWORK_TIMEOUT "8" |
|
@@ -151,6 +152,7 @@ unsigned int defaults_get_timeout(void); |
|
unsigned int defaults_get_negative_timeout(void); |
|
unsigned int defaults_get_browse_mode(void); |
|
unsigned int defaults_get_logging(void); |
|
+unsigned int defaults_force_std_prog_map_env(void); |
|
const char *defaults_get_ldap_server(void); |
|
unsigned int defaults_get_ldap_timeout(void); |
|
unsigned int defaults_get_ldap_network_timeout(void); |
|
--- autofs-5.0.7.orig/lib/defaults.c |
|
+++ autofs-5.0.7/lib/defaults.c |
|
@@ -50,6 +50,7 @@ |
|
#define NAME_NEGATIVE_TIMEOUT "negative_timeout" |
|
#define NAME_BROWSE_MODE "browse_mode" |
|
#define NAME_LOGGING "logging" |
|
+#define NAME_FORCE_STD_PROG_MAP_ENV "force_standard_program_map_env" |
|
|
|
#define NAME_LDAP_URI "ldap_uri" |
|
#define NAME_LDAP_TIMEOUT "ldap_timeout" |
|
@@ -1589,6 +1590,17 @@ unsigned int defaults_get_logging(void) |
|
return logging; |
|
} |
|
|
|
+unsigned int defaults_force_std_prog_map_env(void) |
|
+{ |
|
+ int res; |
|
+ |
|
+ res = conf_get_yesno(autofs_gbl_sec, NAME_FORCE_STD_PROG_MAP_ENV); |
|
+ if (res < 0) |
|
+ res = atoi(DEFAULT_FORCE_STD_PROG_MAP_ENV); |
|
+ |
|
+ return res; |
|
+} |
|
+ |
|
unsigned int defaults_get_ldap_timeout(void) |
|
{ |
|
int res; |
|
--- autofs-5.0.7.orig/man/autofs.5 |
|
+++ autofs-5.0.7/man/autofs.5 |
|
@@ -190,6 +190,11 @@ SHOST Short hostname (domain part remove |
|
.fi |
|
.RE |
|
.sp |
|
+If a program map is used these standard environment variables will have |
|
+a prefix of "AUTOFS_" to prevent interpreted languages like python from |
|
+being able to load and execute arbitray code from a user home directory. |
|
+.RE |
|
+.sp |
|
Additional entries can be defined with the -Dvariable=Value map-option to |
|
.BR automount (8). |
|
.SS Executable Maps |
|
--- autofs-5.0.7.orig/man/autofs.conf.5.in |
|
+++ autofs-5.0.7/man/autofs.conf.5.in |
|
@@ -71,6 +71,15 @@ options replace the global options (prog |
|
.B logging |
|
.br |
|
set default log level "none", "verbose" or "debug" (program default "none"). |
|
+.TP |
|
+.B force_standard_program_map_env |
|
+.br |
|
+override the use of a prefix with standard environment variables when a |
|
+program map is executed. Since program maps are run as the privileded |
|
+user setting these standard environment variables opens automount(8) to |
|
+potential user privilege escalation when the program map is written in a |
|
+language that can load components from, for example, a user home directory |
|
+(program default "no"). |
|
.SS LDAP Configuration |
|
.P |
|
Configuration settings available are: |
|
--- autofs-5.0.7.orig/modules/lookup_program.c |
|
+++ autofs-5.0.7/modules/lookup_program.c |
|
@@ -129,6 +129,7 @@ static char *lookup_one(struct autofs_po |
|
int distance; |
|
int alloci = 1; |
|
int status; |
|
+ char *prefix; |
|
|
|
mapent = (char *) malloc(MAPENT_MAX_LEN + 1); |
|
if (!mapent) { |
|
@@ -174,6 +175,17 @@ static char *lookup_one(struct autofs_po |
|
warn(ap->logopt, |
|
MODPREFIX "failed to set PWD to %s for map %s", |
|
ap->path, ctxt->mapname); |
|
+ |
|
+ /* |
|
+ * By default use a prefix with standard environment |
|
+ * variables to prevent system subversion by interpreted |
|
+ * languages. |
|
+ */ |
|
+ if (defaults_force_std_prog_map_env()) |
|
+ prefix = NULL; |
|
+ else |
|
+ prefix = "AUTOFS_"; |
|
+ |
|
/* |
|
* MAPFMT_DEFAULT must be "sun" for ->parse_init() to have setup |
|
* the macro table. |
|
@@ -181,7 +193,7 @@ static char *lookup_one(struct autofs_po |
|
if (ctxt->mapfmt && strcmp(ctxt->mapfmt, "MAPFMT_DEFAULT")) { |
|
struct parse_context *pctxt = (struct parse_context *) ctxt->parse->context; |
|
/* Add standard environment as seen by sun map parser */ |
|
- pctxt->subst = addstdenv(pctxt->subst, "AUTOFS_"); |
|
+ pctxt->subst = addstdenv(pctxt->subst, prefix); |
|
macro_setenv(pctxt->subst); |
|
} |
|
execl(ctxt->mapname, ctxt->mapname, name, NULL); |
|
--- autofs-5.0.7.orig/redhat/autofs.conf.default.in |
|
+++ autofs-5.0.7/redhat/autofs.conf.default.in |
|
@@ -53,6 +53,17 @@ mount_nfs_default_protocol = 4 |
|
# |
|
#logging = none |
|
# |
|
+# force_standard_program_map_env - disable the use of the "AUTOFS_" |
|
+# prefix for standard environemt variables when |
|
+# executing a program map. Since program maps |
|
+# are run as the privileded user this opens |
|
+# automount(8) to potential user privilege |
|
+# escalation when the program map is written |
|
+# in a language that can load components from, |
|
+# for example, a user home directory. |
|
+# |
|
+# force_standard_program_map_env = no |
|
+# |
|
# Define base dn for map dn lookup. |
|
# |
|
# Define server URIs |
|
--- autofs-5.0.7.orig/samples/autofs.conf.default.in |
|
+++ autofs-5.0.7/samples/autofs.conf.default.in |
|
@@ -52,6 +52,17 @@ browse_mode = no |
|
# |
|
#logging = none |
|
# |
|
+# force_standard_program_map_env - disable the use of the "AUTOFS_" |
|
+# prefix for standard environemt variables when |
|
+# executing a program map. Since program maps |
|
+# are run as the privileded user this opens |
|
+# automount(8) to potential user privilege |
|
+# escalation when the program map is written |
|
+# in a language that can load components from, |
|
+# for example, a user home directory. |
|
+# |
|
+# force_standard_program_map_env = no |
|
+# |
|
# Define base dn for map dn lookup. |
|
# |
|
# Define server URIs
|
|
|