[augeas-devel] FreeBSD /etc/rc.conf

[David Lutterkort]

On Thu, 2010-11-18 at 12:29 +0000, Richard W.M. Jones wrote:
> Without care on my part, someone could try to set the hostname to
> "$(echo toor::0:0:root:/:/bin/sh > /etc/passwd)" or whatever and thus
> escalate a mere hostname change into a back door.

The real issue that makes an exploit like the above possible is that too
many config files are scripts that are run to evaluate them. If you can
modify such a file, you have lots of opportunities to exploit them.

Curiously, even though many files look like shell scripts, not all of
them are evaluated by executing them; IIRC, there are cases where
variable values are extracted from them via grep.

> Question is, who is responsible for stopping that from happening?

I'd never want Augeas be responsible for guarding against such exploits
- a real fix to that security issue requires making such files data.

OTOH, I would like for Augeas to at least help in avoiding the most
egregious hacks that are possible because of executable configuration.
As it stands, Augeas will refuse to save a file if the value of a tree
node does not match what the lens says goes there.

There hasn't been a systematic attempt to lock down lenses; in a lot of
cases, it's also hard to get agreement on what should and should not be
allowed, since you also preclude legitimate uses that might look funky.

>   I
> think the answer should involve Augeas, either doing the escaping, or
> providing hints to upper layers so we know what to escape.

What should that information look like ? Right now, the best you cna do
is make changes, do a noop save, and see if that causes an error.

David