1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

core: warn if a generator is world-writable

... because that is obviously a security risk.

(cherry picked from commit da32cac8a0)
This commit is contained in:
Lukas Nykryn 2024-10-04 10:51:02 +02:00 committed by Luca Boccassi
parent 7b9e412d8a
commit 7ac58949a3
3 changed files with 14 additions and 1 deletions

View File

@ -4126,7 +4126,7 @@ static int manager_execute_generators(Manager *m, char **paths, bool remount_ro)
/* callbacks= */ NULL, /* callback_args= */ NULL,
(char**) argv,
ge,
EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS | EXEC_DIR_SET_SYSTEMD_EXEC_PID);
EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS | EXEC_DIR_SET_SYSTEMD_EXEC_PID | EXEC_DIR_WARN_WORLD_WRITABLE);
}
static int manager_run_generators(Manager *m) {

View File

@ -155,6 +155,18 @@ static int do_execute(
log_debug("About to execute %s%s%s", t, argv ? " " : "", argv ? strnull(args) : "");
}
if (FLAGS_SET(flags, EXEC_DIR_WARN_WORLD_WRITABLE)) {
struct stat st;
r = stat(t, &st);
if (r < 0)
log_warning_errno(errno, "Failed to stat '%s', ignoring: %m", t);
else if (S_ISREG(st.st_mode) && (st.st_mode & 0002))
log_warning("'%s' is marked world-writable, which is a security risk as it "
"is executed with privileges. Please remove world writability "
"permission bits. Proceeding anyway.", t);
}
r = do_spawn(t, argv, fd, FLAGS_SET(flags, EXEC_DIR_SET_SYSTEMD_EXEC_PID), &pid);
if (r <= 0)
continue;

View File

@ -20,6 +20,7 @@ typedef enum {
EXEC_DIR_IGNORE_ERRORS = 1 << 1, /* Ignore non-zero exit status of scripts */
EXEC_DIR_SET_SYSTEMD_EXEC_PID = 1 << 2, /* Set $SYSTEMD_EXEC_PID environment variable */
EXEC_DIR_SKIP_REMAINING = 1 << 3, /* Ignore remaining executions when one exit with 77. */
EXEC_DIR_WARN_WORLD_WRITABLE = 1 << 4, /* Warn if world writable files are found */
} ExecDirFlags;
typedef enum ExecCommandFlags {