| 865 |
I replaced some types with 'unsigned int'. |
I replaced some types with 'unsigned int'. |
| 866 |
|
|
| 867 |
Version 1.4 2007/04/01 x86_64 support release. |
Version 1.4 2007/04/01 x86_64 support release. |
| 868 |
|
|
| 869 |
|
Fix 2007/04/18 |
| 870 |
|
|
| 871 |
|
@ Change argv[0] checking rule. |
| 872 |
|
|
| 873 |
|
I was comparing the basename of symbolic link's pathname and argv[0]. |
| 874 |
|
Since execute permission check and domain transition are done |
| 875 |
|
based on realpath while argv[0] check is done based on the symlink's |
| 876 |
|
pathname and argv[0], this specification will allow attackers behave |
| 877 |
|
as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are |
| 878 |
|
links to /sbin/busybox" and "the attacker is permitted to create |
| 879 |
|
a symlink named ~/cat that points to /bin/ls" and "the attacker is |
| 880 |
|
permitted to run /bin/ls". |
| 881 |
|
So, I changed to compare the basename of realpath and argv[0]. |
| 882 |
|
Also, I moved the location to compare before processing |
| 883 |
|
"aggregator" directive so that |
| 884 |
|
"aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp" |
| 885 |
|
won't cause the mismatch of the basename of realpath and argv[0]. |
| 886 |
|
|
| 887 |
|
If /bin/ls is a symlink to /sbin/busybox, then |
| 888 |
|
creating a symlink named ~/cat that points to /bin/ls and |
| 889 |
|
executing ~/cat won't work as expected because permission check and |
| 890 |
|
domain transition are done using /sbin/busybox (realpath of /bin/ls) |
| 891 |
|
and will be rejected since the administrator won't grant |
| 892 |
|
"1 /sbin/busybox". |
| 893 |
|
|
| 894 |
|
Fix 2007/05/07 |
| 895 |
|
|
| 896 |
|
@ Support pathname subtraction. |
| 897 |
|
|
| 898 |
|
There was no way to exclude specific pathnames when granting |
| 899 |
|
permissions using wildcards. |
| 900 |
|
There would be a need to exclude specific files and directories. |
| 901 |
|
I introduced "\-" as subtraction operator. |
| 902 |
|
|
| 903 |
|
"A\-B" means "A" other than "B". |
| 904 |
|
"A\-B\-C" means "A" other than "B" and "C". |
| 905 |
|
"A\-B\-C\-D" means "A" other than "B" and "C" and "D". |
| 906 |
|
|
| 907 |
|
"A", "B", "C", "D" may contain wildcards. |
| 908 |
|
|
| 909 |
|
An example usage is "/home/\*/\*\-.ssh/\*", which means |
| 910 |
|
"/home/\*/\*/\*" other than "/home/\*/.ssh/\*". |
| 911 |
|
|
| 912 |
|
"A" should contain wildcards because subtraction from constants |
| 913 |
|
(e.g. "/usr\-usr/" or "/usr\-home/") is meaningless. |
| 914 |
|
|
| 915 |
|
Don't try "A\-B\+C" because "\+" is not addition operator. |
| 916 |
|
|
| 917 |
|
Fix 2007/05/24 |
| 918 |
|
|
| 919 |
|
@ Fix autobind hook. |
| 920 |
|
|
| 921 |
|
The location to call SAKURA_MayAutobind() in net/ipv4/udp.c |
| 922 |
|
and net/ipv6/udp.c were wrong. |
| 923 |
|
|
| 924 |
|
Fix 2007/06/03 |
| 925 |
|
|
| 926 |
|
@ Add a space in MakeMountOptions(). |
| 927 |
|
|
| 928 |
|
I forgot to add a space after "atime" and "noatime". |
| 929 |
|
|
| 930 |
|
Version 1.4.1 2007/??/?? Minor update release. |
TOMOYO
Parent Directory
Revision Log
Patch