diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-10-07 11:15:05 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-10-14 10:04:12 +0200 |
| commit | 0a42426d797406b4b01a0d9c13bb759c2629d108 (patch) | |
| tree | d7651fb8af1a2fb3ca22e78451282f12f39019a5 /src/shared/pager.c | |
| parent | 1b5b507cd2d1d7a2b053151abb548475ad9c5c3b (diff) | |
| download | systemd-0a42426d797406b4b01a0d9c13bb759c2629d108.tar.gz | |
pager: make pager secure when under euid is changed or explicitly requested
The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
less now), and we automatically enable secure mode in certain cases, but not
otherwise.
This approach is more nuanced, but should provide a better experience for
users:
- Previusly we would set LESSSECURE=1 and trust the pager to make use of
it. But this has an effect only on less. We need to not start pagers which
are insecure when in secure mode. In particular more is like that and is a
very popular pager.
- We don't enable secure mode always, which means that those other pagers can
reasonably used.
- We do the right thing by default, but the user has ultimate control by
setting SYSTEMD_PAGERSECURE.
Fixes #5666.
v2:
- also check $PKEXEC_UID
v3:
- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
Diffstat (limited to 'src/shared/pager.c')
| -rw-r--r-- | src/shared/pager.c | 63 |
1 files changed, 42 insertions, 21 deletions
diff --git a/src/shared/pager.c b/src/shared/pager.c index 9c21881241..9a14d44d69 100644 --- a/src/shared/pager.c +++ b/src/shared/pager.c @@ -8,6 +8,8 @@ #include <sys/prctl.h> #include <unistd.h> +#include "sd-login.h" + #include "copy.h" #include "env-util.h" #include "fd-util.h" @@ -165,25 +167,42 @@ int pager_open(PagerFlags flags) { } /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out - * privileged stuff. */ - r = getenv_bool("SYSTEMD_LESSSECURE"); - if (r == 0) { /* Remove env var if off */ - if (unsetenv("LESSSECURE") < 0) { - log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m"); - _exit(EXIT_FAILURE); - } - } else { - /* Set env var otherwise */ + * privileged stuff. If the user set $SYSTEMD_PAGERSECURE, trust their configuration of the + * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE + * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we + * know to be good. */ + int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE"); + bool trust_pager = use_secure_mode >= 0; + if (use_secure_mode == -ENXIO) { + uid_t uid; + + r = sd_pid_get_owner_uid(0, &uid); if (r < 0) - log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m"); + log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m"); - if (setenv("LESSSECURE", "1", 1) < 0) { - log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m"); - _exit(EXIT_FAILURE); - } + use_secure_mode = r < 0 || uid != geteuid(); + + } else if (use_secure_mode < 0) { + log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m"); + use_secure_mode = true; } - if (pager_args) { + /* We generally always set variables used by less, even if we end up using a different pager. + * They shouldn't hurt in any case, and ideally other pagers would look at them too. */ + if (use_secure_mode) + r = setenv("LESSSECURE", "1", 1); + else + r = unsetenv("LESSSECURE"); + if (r < 0) { + log_error_errno(errno, "Failed to adjust environment variable LESSSECURE: %m"); + _exit(EXIT_FAILURE); + } + + if (trust_pager && pager_args) { /* The pager config might be set globally, and we cannot + * know if the user adjusted it to be appropriate for the + * secure mode. Thus, start the pager specified through + * envvars only when $SYSTEMD_PAGERSECURE was explicitly set + * as well. */ r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false); if (r < 0) { log_error_errno(r, "Failed to write pager name to socket: %m"); @@ -195,13 +214,14 @@ int pager_open(PagerFlags flags) { "Failed to execute '%s', using fallback pagers: %m", pager_args[0]); } - /* Debian's alternatives command for pagers is - * called 'pager'. Note that we do not call - * sensible-pagers here, since that is just a - * shell script that implements a logic that - * is similar to this one anyway, but is - * Debian-specific. */ + /* Debian's alternatives command for pagers is called 'pager'. Note that we do not call + * sensible-pagers here, since that is just a shell script that implements a logic that is + * similar to this one anyway, but is Debian-specific. */ FOREACH_STRING(exe, "pager", "less", "more") { + /* Only less implements secure mode right now. */ + if (use_secure_mode && !streq(exe, "less")) + continue; + r = loop_write(exe_name_pipe[1], exe, strlen(exe) + 1, false); if (r < 0) { log_error_errno(r, "Failed to write pager name to socket: %m"); @@ -212,6 +232,7 @@ int pager_open(PagerFlags flags) { "Failed to execute '%s', using next fallback pager: %m", exe); } + /* Our builtin is also very secure. */ r = loop_write(exe_name_pipe[1], "(built-in)", strlen("(built-in)") + 1, false); if (r < 0) { log_error_errno(r, "Failed to write pager name to socket: %m"); |