File autofs-5.1.0-add-config-option-to-force-use-of-program-map-stdvars.patch of Package autofs.2291
autofs-5.1.0 - add config option to force use of program map stdvars
From: Ian Kent <ikent@redhat.com>
Enabling the extended environment (including $HOME, for example) for
program maps opens automount(8) to a privilege escalation.
Rather than just removing the entended environment a configuration
option is added to disable it by default so that those who wish to
use it can do so if they wish.
---
include/defaults.h | 2 ++
lib/defaults.c | 12 ++++++++++++
man/auto.master.5.in | 8 ++++++++
man/autofs.5 | 5 +++++
modules/lookup_program.c | 14 +++++++++++++-
samples/autofs.conf.default.in | 11 +++++++++++
6 files changed, 51 insertions(+), 1 deletion(-)
--- a/include/defaults.h
+++ b/include/defaults.h
@@ -28,6 +28,7 @@
#define DEFAULT_UMOUNT_WAIT 12
#define DEFAULT_BROWSE_MODE 1
#define DEFAULT_LOGGING 0
+#define DEFAULT_FORCE_STD_PROG_MAP_ENV 0
#define DEFAULT_LDAP_TIMEOUT -1
#define DEFAULT_LDAP_NETWORK_TIMEOUT 8
@@ -62,6 +63,7 @@ unsigned int defaults_get_timeout(void);
unsigned int defaults_get_negative_timeout(void);
unsigned int defaults_get_browse_mode(void);
unsigned int defaults_get_logging(void);
+unsigned int defaults_force_std_prog_map_env(void);
const char *defaults_get_ldap_server(void);
unsigned int defaults_get_ldap_timeout(void);
unsigned int defaults_get_ldap_network_timeout(void);
--- a/lib/defaults.c
+++ b/lib/defaults.c
@@ -35,6 +35,7 @@
#define ENV_NAME_NEGATIVE_TIMEOUT "NEGATIVE_TIMEOUT"
#define ENV_NAME_BROWSE_MODE "BROWSE_MODE"
#define ENV_NAME_LOGGING "LOGGING"
+#define ENV_NAME_FORCE_STD_PROG_MAP_ENV "FORCE_STANDARD_PROGRAM_MAP_ENV"
#define LDAP_URI "LDAP_URI"
#define ENV_LDAP_TIMEOUT "LDAP_TIMEOUT"
@@ -629,6 +630,17 @@ unsigned int defaults_get_logging(void)
return logging;
}
+unsigned int defaults_force_std_prog_map_env(void)
+{
+ int res;
+
+ res = get_env_yesno(ENV_NAME_FORCE_STD_PROG_MAP_ENV);
+ if (res < 0)
+ res = DEFAULT_FORCE_STD_PROG_MAP_ENV;
+
+ return res;
+}
+
unsigned int defaults_get_ldap_timeout(void)
{
int res;
--- a/man/autofs.5
+++ b/man/autofs.5
@@ -189,6 +189,11 @@ SHOST Short hostname (domain part remove
.fi
.RE
.sp
+If a program map is used these standard environment variables will have
+a prefix of "AUTOFS_" to prevent interpreted languages like python from
+being able to load and execute arbitray code from a user home directory.
+.RE
+.sp
Additional entries can be defined with the -Dvariable=Value map-option to
.BR automount (8).
.SS Executable Maps
--- a/man/auto.master.5.in
+++ b/man/auto.master.5.in
@@ -253,6 +253,14 @@ options replace the global options (prog
.TP
.B LOGGING
set default log level "none", "verbose" or "debug" (program default "none").
+.TP
+.B FORCE_STANDARD_PROGRAM_MAP_ENV
+override the use of a prefix with standard environment variables when a
+program map is executed. Since program maps are run as the privileded
+user setting these standard environment variables opens automount(8) to
+potential user privilege escalation when the program map is written in a
+language that can load components from, for example, a user home directory
+(program default "no").
.SH BUILTIN MAP -hosts
If "-hosts" is given as the map then accessing a key under the mount point
which corresponds to a hostname will allow access to the exports of that
--- a/modules/lookup_program.c
+++ b/modules/lookup_program.c
@@ -132,6 +132,7 @@ int lookup_mount(struct autofs_point *ap
int ret = 1;
int distance;
int alloci = 1;
+ char *prefix;
source = ap->entry->current;
ap->entry->current = NULL;
@@ -267,6 +268,17 @@ int lookup_mount(struct autofs_point *ap
warn(ap->logopt,
MODPREFIX "failed to set PWD to %s for map %s",
ap->path, ctxt->mapname);
+
+ /*
+ * By default use a prefix with standard environment
+ * variables to prevent system subversion by interpreted
+ * languages.
+ */
+ if (defaults_force_std_prog_map_env())
+ prefix = NULL;
+ else
+ prefix = "AUTOFS_";
+
/*
* MAPFMT_DEFAULT must be "sun" for ->parse_init() to have setup
* the macro table.
@@ -274,7 +286,7 @@ int lookup_mount(struct autofs_point *ap
if (ctxt->mapfmt && strcmp(ctxt->mapfmt, "MAPFMT_DEFAULT")) {
struct parse_context *pctxt = (struct parse_context *) ctxt->parse->context;
/* Add standard environment as seen by sun map parser */
- pctxt->subst = addstdenv(pctxt->subst, "AUTOFS_");
+ pctxt->subst = addstdenv(pctxt->subst, prefix);
macro_setenv(pctxt->subst);
}
execl(ctxt->mapname, ctxt->mapname, name, NULL);
--- a/samples/autofs.conf.default.in
+++ b/samples/autofs.conf.default.in
@@ -50,6 +50,17 @@ BROWSE_MODE="no"
#
#LOGGING="none"
#
+# FORCE_STANDARD_PROGRAM_MAP_ENV - disable the use of the "AUTOFS_"
+# prefix for standard environemt variables when
+# executing a program map. Since program maps
+# are run as the privileded user this opens
+# automount(8) to potential user privilege
+# escalation when the program map is written
+# in a language that can load components from,
+# for example, a user home directory.
+#
+#FORCE_STANDARD_PROGRAM_MAP_ENV="no"
+#
# Define server URIs
#
# LDAP_URI - space seperated list of server uris of the form
