From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Fixing wg-quick's DNS= directive with a hatchet
Date: Mon, 30 Oct 2017 13:16:22 +0100 [thread overview]
Message-ID: <87inewde5l.fsf@fifthhorseman.net> (raw)
In-Reply-To: <CAHmME9rpVS84KzU4a76tKLPVQ0MfjegvQhLzrF6z=F5Um8128g@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 996 bytes --]
On Sun 2017-10-29 23:06:31 +0100, Jason A. Donenfeld wrote:
> By the way, the program you wrote introduces a trivial local privilege
> escalation vulnerability into Debian, since not all available
> providers of the resolvconf binary set PATH themselves. Always clear
> environment variables yourself before exec'ing anything in an suid
> executable.
Thanks for this report, it should be fixed in resolvconf-admin 0.3.
This is a bad failure in the filtering that resolvconf-admin is supposed
to provide.
I note that the privilege escalation vulnerability was for any code that
would normally have been running as root anyway without resolvconf-admin
-- so it leaves systems no worse than they'd been without
resolvconf-admin (since no user is added to the resolvconf-admins group
by default). But it's definitely a bad failure mode, given the design
and intent of resolvconf-admin.
I appreciate the catch! Please don't hesitate to report any other
similar problems.
Regards,
--dkg
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2017-10-30 12:14 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-25 22:43 Fixing wg-quick's DNS= directive with a hatchet Jason A. Donenfeld
2017-10-25 23:37 ` Kalin KOZHUHAROV
2017-10-26 0:55 ` Jason A. Donenfeld
2017-10-26 1:32 ` [PATCH] wg-quick: use bind mount for DNS when no openresolv Jason A. Donenfeld
2017-10-26 1:53 ` Kalin KOZHUHAROV
2017-10-26 1:54 ` Jason A. Donenfeld
2017-10-26 13:41 ` [PATCH v2] " Jason A. Donenfeld
2017-10-26 2:54 ` Fixing wg-quick's DNS= directive with a hatchet Eric Light
2017-10-26 3:21 ` Jason A. Donenfeld
2017-10-26 13:11 ` Jason A. Donenfeld
2017-10-26 16:56 ` Joe Doss
2017-10-26 17:24 ` Jason A. Donenfeld
2017-10-26 21:22 ` Jason A. Donenfeld
2017-10-27 10:07 ` Martin Hauke
2017-10-27 13:22 ` Jason A. Donenfeld
2017-10-27 14:47 ` Joe Doss
2017-10-27 14:51 ` Jason A. Donenfeld
2017-10-27 15:02 ` Jason A. Donenfeld
2017-10-27 15:38 ` Joe Doss
2017-10-27 22:04 ` Bruno Wolff III
2017-10-27 15:38 ` Joe Doss
2017-10-27 17:15 ` Jason A. Donenfeld
2017-10-27 17:52 ` Jason A. Donenfeld
2017-10-27 22:06 ` Daniel Kahn Gillmor
2017-10-28 2:24 ` Jason A. Donenfeld
2017-10-28 2:39 ` Jason A. Donenfeld
2017-10-28 14:35 ` Daniel Kahn Gillmor
2017-10-28 17:57 ` Jason A. Donenfeld
2017-10-29 12:21 ` Geo Kozey
2017-10-29 17:07 ` Jason A. Donenfeld
2017-10-30 11:58 ` Daniel Kahn Gillmor
2017-10-30 12:10 ` Daniel Kahn Gillmor
2017-10-29 22:06 ` Jason A. Donenfeld
2017-10-30 12:16 ` Daniel Kahn Gillmor [this message]
2017-10-31 10:49 ` Jason A. Donenfeld
-- strict thread matches above, loose matches on Subject: below --
2017-10-26 19:58 Geo Kozey
2017-10-26 21:11 ` Jason A. Donenfeld
2017-10-26 22:01 ` Geo Kozey
2017-10-26 22:19 ` Jason A. Donenfeld
2017-10-26 22:52 ` Geo Kozey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87inewde5l.fsf@fifthhorseman.net \
--to=dkg@fifthhorseman.net \
--cc=Jason@zx2c4.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.