/[packages]/cauldron/nagios-check_mk/current/SOURCES/check_mk-CVE-2014-0243.patch
ViewVC logotype

Contents of /cauldron/nagios-check_mk/current/SOURCES/check_mk-CVE-2014-0243.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 650962 - (show annotations) (download)
Wed Jul 9 20:51:55 2014 UTC (6 years, 2 months ago) by alien
File size: 3375 byte(s)
SILENT: forgot patch
1 From a2ef8d00c53ec9cbd05c4ae2f09b50761130e7ce Mon Sep 17 00:00:00 2001
2 From: Mathias Kettner <mk@mathias-kettner.de>
3 Date: Mon, 26 May 2014 10:38:16 +0200
4 Subject: [PATCH] Fix security issue with mk-job on Linux
5
6 By use of symlinks or hardlinks normal users could inject files to be read
7 with root permissions. This was due to the fact that <tt>/var/lib/check_mk_agent/job</tt>
8 was installed with the permissions <tt>1777</tt>, just as <tt>/tmp</tt>. That way
9 a normal user could have placed a symlink to a file there that is only readable
10 by <tt>root</tt>. The content of that file would then appear in the agent output.
11
12 This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt> directly,
13 but by creating a separate subdirectory below that for each user. This is done by
14 a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you update
15 the agent that you also update <tt>mk-job</tt>.
16
17 Also you now have to create job subdirectories for non-<tt>root</tt> jobs manually.
18 If you have a job running as user <tt>foo</tt>, then do:
19
20 C+:
21 RP:mkdir -p /var/lib/check_mk_agent/job
22 RP:chown foo.foo /var/lib/check_mk_agent/job
23 C-:
24 ---
25 diff --git a/ChangeLog b/ChangeLog
26 index 0c9d45e..6ede67a 100644
27 --- a/ChangeLog
28 +++ b/ChangeLog
29 @@ -56,6 +56,8 @@
30 NOTE: Please refer to the migration notes!
31 * 0920 blade_bays: now also detects if blade server is switched off
32 * 0977 check_traceroute: new active check for checking presence and absence of routes...
33 + * 0978 Fix security issue with mk-job on Linux...
34 + NOTE: Please refer to the migration notes!
35 * 0777 FIX: special agent emcvnx: did not work with security file authentication...
36 * 0786 FIX: zfsget: fixed compatibility with older Solaris agents...
37 * 0809 FIX: brocade_fcport: Fixed recently introduced problem with port speed detection
38 diff --git a/agents/check_mk_agent.linux b/agents/check_mk_agent.linux
39 index 1c9400a..15e416c 100755
40 --- a/agents/check_mk_agent.linux
41 +++ b/agents/check_mk_agent.linux
42 @@ -495,10 +495,20 @@ then
43 done
44 fi
45
46 -# Get statistics about monitored jobs
47 -if cd /var/lib/check_mk_agent/job; then
48 +# Get statistics about monitored jobs. Below the job directory there
49 +# is a sub directory per user that ran a job. That directory must be
50 +# owned by the user so that a symlink or hardlink attack for reading
51 +# arbitrary files can be avoided.
52 +if pushd /var/lib/check_mk_agent/job >/dev/null; then
53 echo '<<<job>>>'
54 - head -n -0 -v *
55 + for username in *
56 + do
57 + if [ -d "$username" ] && cd "$username" ; then
58 + su "$username" -c "head -n -0 -v *"
59 + cd ..
60 + fi
61 + done
62 + popd > /dev/null
63 fi
64
65 # Gather thermal information provided e.g. by acpi
66 diff --git a/agents/mk-job b/agents/mk-job
67 index e1df542..04da0c8 100755
68 --- a/agents/mk-job
69 +++ b/agents/mk-job
70 @@ -39,12 +39,18 @@ if [ $# -lt 2 ]; then
71 exit 1
72 fi
73
74 -OUTPUT_PATH=/var/lib/check_mk_agent/job
75 +MYSELF=$(id -nu)
76 +OUTPUT_PATH=/var/lib/check_mk_agent/job/$MYSELF
77 IDENT=$1
78 shift
79
80 if [ ! -d "$OUTPUT_PATH" ]; then
81 - mkdir -p "$OUTPUT_PATH"
82 + if [ "$MYSELF" = root ] ; then
83 + mkdir -p "$OUTPUT_PATH"
84 + else
85 + echo "ERROR: Missing output directory $OUTPUT_PATH for non-root user '$MYSELF'." >&2
86 + exit 1
87 + fi
88 fi
89
90 if ! type $1 >/dev/null 2>&1; then
91 --
92 1.7.10.4
93

  ViewVC Help
Powered by ViewVC 1.1.28