/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

  • Committer: Teddy Hogeborn
  • Date: 2014-06-08 03:10:08 UTC
  • Revision ID: teddy@recompile.se-20140608031008-mc9bd7b024a3q0y0
Address a very theoretical possible security issue in mandos-client.

If there were to run some sort of "cleaner" process for /run/tmp (or
/tmp), and mandos-client were to run for long enough for that cleaner
process to remove the temporary directory for GPGME, there was a
possibility that another unprivileged process could trick the (also
unprivileged) mandos-client process to remove other files or symlinks
which the unprivileged mandos-client process was allowed to remove.
This is not currently known to have been exploitable, since there are
no known initramfs environments running such cleaner processes.

* plugins.d/mandos-client.c (main): Use O_NOFOLLOW when opening
                                    tempdir for cleaning.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-keygen">
5
 
<!ENTITY TIMESTAMP "2015-07-20">
 
5
<!ENTITY TIMESTAMP "2013-10-22">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
 
      <year>2010</year>
37
36
      <year>2011</year>
38
37
      <year>2012</year>
39
 
      <year>2013</year>
40
 
      <year>2014</year>
41
 
      <year>2015</year>
42
38
      <holder>Teddy Hogeborn</holder>
43
39
      <holder>Björn Påhlsson</holder>
44
40
    </copyright>
123
119
        <replaceable>TIME</replaceable></option></arg>
124
120
      </group>
125
121
      <sbr/>
126
 
      <group>
127
 
        <arg choice="plain"><option>--force</option></arg>
128
 
        <arg choice="plain"><option>-f</option></arg>
129
 
      </group>
 
122
      <arg><option>--force</option></arg>
130
123
    </cmdsynopsis>
131
124
    <cmdsynopsis>
132
125
      <command>&COMMANDNAME;</command>
152
145
        <arg choice="plain"><option>-n
153
146
        <replaceable>NAME</replaceable></option></arg>
154
147
      </group>
155
 
      <group>
156
 
        <arg choice="plain"><option>--no-ssh</option></arg>
157
 
        <arg choice="plain"><option>-S</option></arg>
158
 
      </group>
159
148
    </cmdsynopsis>
160
149
    <cmdsynopsis>
161
150
      <command>&COMMANDNAME;</command>
357
346
          </para>
358
347
        </listitem>
359
348
      </varlistentry>
360
 
      <varlistentry>
361
 
        <term><option>--no-ssh</option></term>
362
 
        <term><option>-S</option></term>
363
 
        <listitem>
364
 
          <para>
365
 
            When <option>--password</option> or
366
 
            <option>--passfile</option> is given, this option will
367
 
            prevent <command>&COMMANDNAME;</command> from calling
368
 
            <command>ssh-keyscan</command> to get an SSH fingerprint
369
 
            for this host and, if successful, output suitable config
370
 
            options to use this fingerprint as a
371
 
            <option>checker</option> option in the output.  This is
372
 
            otherwise the default behavior.
373
 
          </para>
374
 
        </listitem>
375
 
      </varlistentry>
376
349
    </variablelist>
377
350
  </refsect1>
378
351
  
529
502
      <citerefentry><refentrytitle>mandos</refentrytitle>
530
503
      <manvolnum>8</manvolnum></citerefentry>,
531
504
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
532
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
533
 
      <citerefentry><refentrytitle>ssh-keyscan</refentrytitle>
534
 
      <manvolnum>1</manvolnum></citerefentry>
 
505
      <manvolnum>8mandos</manvolnum></citerefentry>
535
506
    </para>
536
507
  </refsect1>
537
508