Bug ID 1170162
Summary AUDIT-FIND: enlightenment: enlightenment_system: _store_umount_verify(): does not protect against shell metacharacters and relative path components
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee simonf.lees@suse.com
Reporter matthias.gerstner@suse.com
QA Contact qa-bugs@suse.de
CC security-team@suse.de
Blocks 1169238
Found By ---
Blocker --- 

+++ This bug was initially created as a clone of Bug #1169238


This function tries to make sure that the user can only unmount his own mounts
below /media/$user. It also rejects backslashes in the path. However it does
not reject relative path components or shell characters.

- this allows a regular user to unmount arbitrary file systems by passing
  paths like "/media/$user/../../tmp.
- since the unmount is performed by calling the `umount` utility via
  "/bin/sh", shell metacharacters will be interpreted. Passing a path like
  '/media/testuser/$(date)' will cause the setuid-root program to execute the
  `date` program as root. This leads to full code execution as root. The only
  requirement is that a directory of the same name exists. Spaces are also
  allowed in the path, therefore even complex commands can be executed as root.

I recommend to reject relative path components and shell metacharacters in
this function to fix the issue.

You are receiving this mail because: