diff options
| author | Colin Walters <walters@verbum.org> | 2013-02-24 08:27:08 -0500 |
|---|---|---|
| committer | Colin Walters <walters@verbum.org> | 2013-02-24 09:24:08 -0500 |
| commit | c4388a624de392a72a5826b0d61c2aa21f283ede (patch) | |
| tree | baac8a06a52347892c50efb5c4d87e83302bc301 | |
| parent | ef7cd3d4da4e72fe7b63174a3705d330177e5515 (diff) | |
| download | linux-user-chroot-c4388a624de392a72a5826b0d61c2aa21f283ede.tar.gz | |
[SECURITY] Invoke chdir() after we've switched uid, not before
Otherwise, the user can access otherwise inaccessible directories like:
$ linux-user-chroot --chdir /root/.virsh / /bin/sh
Reported-by: Ryan Lortie <desrt@desrt.ca>
Reported-by: Marc Deslauriers <marc.deslauriers@canonical.com>
| -rw-r--r-- | src/linux-user-chroot.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/linux-user-chroot.c b/src/linux-user-chroot.c index fa8a2be..ac542ad 100644 --- a/src/linux-user-chroot.c +++ b/src/linux-user-chroot.c @@ -361,9 +361,6 @@ main (int argc, fatal_errno ("chroot"); } - if (chdir (chdir_target) < 0) - fatal_errno ("chdir"); - /* Switch back to the uid of our invoking process. These calls are * irrevocable - see setuid(2) */ if (setgid (rgid) < 0) @@ -371,6 +368,9 @@ main (int argc, if (setuid (ruid) < 0) fatal_errno ("setuid"); + if (chdir (chdir_target) < 0) + fatal_errno ("chdir"); + if (execvp (program, program_argv) < 0) fatal_errno ("execv"); } |