On Wed, Oct 06, 2010 at 11:50:40AM +0200, Dejan Muhamedagic wrote: > On Tue, Oct 05, 2010 at 07:34:31PM +0200, Lars Ellenberg wrote: > > On Tue, Oct 05, 2010 at 04:03:47PM +0200, Dejan Muhamedagic wrote: > > > > So it is run periodically by root (well, the lrmd, as root). > > > > Even though the cwd of lrmd should be ok, permission wise, in case the > > > > script does cd into somewhere (I don't think it does, now) where someone > > > > with lesser privilege was able to place some evil *.so, the next command > > > > executed by the script may do interesting things. > > > > > > I really doubt that, though it looks dangerous, there is a way to > > > exploit this without root access. > > > > You never know. > > The script itself may not, but it starts something else, > > which may cd somewhere else, then fork/exec.
[ ... some suggestions how to fix it ... ] > Great. Can you please apply this to the repo. I think I have something simpler/better, even. RFC below, if there are no objections, it will go in next week. Someone please double check the "local IFS=:" part, maybe on some SAP systems /bin/sh is something that does not handle that correctly? BTW, looking at those ocf-shellfuncs, did anyone notice that ocf_take_lock is broken, because it's racy? Not sure if/how we should solve that, though. possibly this could do it? while :; do pid=$(head -n1 $file) [ x$pid = x$$ ] && return 0 # won the race if [ -z "$pid" ] || ! kill -0 $pid ; then echo $$ > $file else # other still running sleep 1 fi done And, how about adding HUP/TERM/INT to the EXIT for the trap in ocf_release_lock_on_exit? Oh, and did you know that $lockfile better be an absolute path, or you'll end up deleting something unexpected (or nothing at all) if you cd to somewhere in the script later. BTW2, why is "ocf_is_true ja" a true value, but "ocf_is_true oui" is not? Because lmb lives in Hamburg, not Paris? ;-) # HG changeset patch # User Lars Ellenberg <l...@linbit.com> # Date 1287158610 -7200 # Node ID dc12cb9f7370a3cc9ecfe5d1a26da9e002a90341 # Parent 6efae155209ed2cba851d8c64a796f24ce84fd91 Low: SAPDatabase,SAPInstance: beautify LD_LIBRARY_PATH processing relates to 2773e5850003 and bnc#640026 diff -r 6efae155209e -r dc12cb9f7370 heartbeat/.ocf-shellfuncs.in --- a/heartbeat/.ocf-shellfuncs.in Thu Oct 14 18:39:07 2010 +0900 +++ b/heartbeat/.ocf-shellfuncs.in Fri Oct 15 18:03:30 2010 +0200 @@ -429,6 +429,26 @@ [ ! -z "${OCF_RESKEY_CRM_meta_master_max}" ] && [ "${OCF_RESKEY_CRM_meta_master_max}" -gt 0 ] } +# Takes one parameter (additional parameters ignored), +# and prepends it to LD_LIBRARY_PATH. +# If it's already there, don't add it again, +# but make it the first component. +# Also make sure we don't create an empty LD_LIBRARY_PATH component +# (trailing or leading colon, or "double colon"), +# as that is considered a security issue. +ocf_prepend_ld_library_path() +{ + local x p=$1 + local IFS=: + for x in $LD_LIBRARY_PATH ; do + [ "x$x" = "x$1" ] && continue + [ "x$x" = "x" ] && continue + p=$p:$x + done + LD_LIBRARY_PATH=$p + export LD_LIBRARY_PATH +} + # usage: dirname DIR dirname() { diff -r 6efae155209e -r dc12cb9f7370 heartbeat/SAPDatabase --- a/heartbeat/SAPDatabase Thu Oct 14 18:39:07 2010 +0900 +++ b/heartbeat/SAPDatabase Fri Oct 15 18:03:30 2010 +0200 @@ -965,11 +965,10 @@ esac fi -# as root user we need the library path to the SAP kernel to be able to call executables -if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then - LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH - export LD_LIBRARY_PATH -fi +# As root user we need the library path to the SAP kernel +# to be able to call executables. +ocf_prepend_ld_library_path "$DIR_EXECUTABLE" + sidadm="`echo $SID | tr [:upper:] [:lower:]`adm" # What kind of method was invoked? diff -r 6efae155209e -r dc12cb9f7370 heartbeat/SAPInstance --- a/heartbeat/SAPInstance Thu Oct 14 18:39:07 2010 +0900 +++ b/heartbeat/SAPInstance Fri Oct 15 18:03:30 2010 +0200 @@ -296,10 +296,7 @@ fi # as root user we need the library path to the SAP kernel to be able to call sapcontrol - if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then - LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH - export LD_LIBRARY_PATH - fi + ocf_prepend_ld_library_path "$DIR_EXECUTABLE" sidadm="`echo $SID | tr [:upper:] [:lower:]`adm" -- : Lars Ellenberg : LINBIT | Your Way to High Availability : DRBD/HA support and consulting http://www.linbit.com DRBD® and LINBIT® are registered trademarks of LINBIT, Austria. _______________________________________________________ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/