Bug 998364 - Power service provider uses unsecured system(3) call.
Power service provider uses unsecured system(3) call.
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openlmi-providers (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Radek Novacek
:
Depends On:
Blocks: 922084
  Show dependency treegraph
 
Reported: 2013-08-19 03:16 EDT by Robin Hack
Modified: 2016-11-30 19:31 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-23 07:00:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robin Hack 2013-08-19 03:16:01 EDT
Description of problem:
Power service provider uses unsecure system(3) call without cleaning environment variables.

Also, if service is run in backgroud, system(3) returns 0 even if command is not found.

Steps to Reproduce:
$ cd openlmi-providers/src/power
$ grep -n system\( power.c

165:            succeeded = system("pm-suspend") == 0;
171:            succeeded = system("systemctl --force reboot &") == 0;
173:            succeeded =  system("reboot --force &") == 0;
181:            succeeded =  system("pm-hibernate") == 0;
187:            succeeded = system("systemctl --force poweroff &") == 0;
189:            succeeded =  system("shutdown --halt now &") == 0;
195:            succeeded = system("systemctl poweroff &") == 0;
197:            succeeded =  system("shutdown --poweroff now &") == 0;
203:            succeeded = system("systemctl reboot &") == 0;
205:            succeeded =  system("shutdown --reboot now &") == 0;
331:    if (system("pm-is-supported --suspend") == 0) {
371:    if (system("pm-is-supported --hibernate") == 0) {


Version-Release number of selected component (if applicable):
From upstream git repo last commit:
commit 6532d453d6d25b816c3e0c08de3d3cea46dce543

How reproducible:
always

Actual results:
Unsecured system(3) call.

Expected results:
Something more secure.
Comment 2 Jan Safranek 2013-08-23 07:00:41 EDT
There is no need to secure system() with sanitized environment because Pegasus nor SFCB are suid. One must be root to exploit this "vulnerability".

Note You need to log in before you can comment on or make changes to this bug.