From c52612ba0315409e4c47f753e41615d19131baf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Fri, 2 Apr 2021 16:40:48 +0200 Subject: [PATCH] zed.8: don't pretend an unprivileged user could change the script owner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit And add a note on /why/ ZEDLETs need to be owned by root Quoth chown(2), Linux man-pages project: Only a privileged process (Linux: one with the CAP_CHOWN capability) may change the owner of a file. Quoth chown(2), FreeBSD: [EPERM] The operation would change the ownership, but the effective user ID is not the super-user. Reviewed-by: Brian Behlendorf Signed-off-by: Ahelenia ZiemiaƄska Closes #11834 --- cmd/zed/zed_conf.c | 2 -- man/man8/zed.8.in | 13 ++++--------- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/cmd/zed/zed_conf.c b/cmd/zed/zed_conf.c index bd2ee2261..f11d8b398 100644 --- a/cmd/zed/zed_conf.c +++ b/cmd/zed/zed_conf.c @@ -324,8 +324,6 @@ zed_conf_parse_opts(struct zed_conf *zcp, int argc, char **argv) * * Return 0 on success with an updated set of zedlets, * or -1 on error with errno set. - * - * FIXME: Check if zedlet_dir and all parent dirs are secure. */ int zed_conf_scan_dir(struct zed_conf *zcp) diff --git a/man/man8/zed.8.in b/man/man8/zed.8.in index 155148675..eb3b9e015 100644 --- a/man/man8/zed.8.in +++ b/man/man8/zed.8.in @@ -117,9 +117,10 @@ ZEDLETs to be invoked in response to zevents are located in the \fIenabled-zedlets\fR directory. These can be symlinked or copied from the \fIinstalled-zedlets\fR directory; symlinks allow for automatic updates from the installed ZEDLETs, whereas copies preserve local modifications. -As a security measure, ZEDLETs must be owned by root. They must have -execute permissions for the user, but they must not have write permissions -for group or other. Dotfiles are ignored. +As a security measure, since ownership change is a privileged operation, +ZEDLETs must be owned by root. They must have execute permissions for the user, +but they must not have write permissions for group or other. +Dotfiles are ignored. .PP ZEDLETs are named after the zevent class for which they should be invoked. In particular, a ZEDLET will be invoked for a given zevent if either its @@ -231,12 +232,6 @@ Terminate the daemon. .SH BUGS .PP -The ownership and permissions of the \fIenabled-zedlets\fR directory (along -with all parent directories) are not checked. If any of these directories -are improperly owned or permissioned, an unprivileged user could insert a -ZEDLET to be executed as root. The requirement that ZEDLETs be owned by -root mitigates this to some extent. -.PP ZEDLETs are unable to return state/status information to the kernel. .PP Some zevent nvpair types are not handled. These are denoted by zevent