From 048b2a92e008868b3a2d64b3112884722dc93ad5 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Sat, 4 Apr 2009 22:36:48 -0400 Subject: libsandbox: check binary we execute via $PATH If an exec func is used that searches $PATH, we need to do the search as well so that we don't miss out on binaries or denied locations that are run without a full path. Signed-off-by: Mike Frysinger --- libsandbox/wrapper-funcs/__wrapper_exec.c | 34 ++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) (limited to 'libsandbox') diff --git a/libsandbox/wrapper-funcs/__wrapper_exec.c b/libsandbox/wrapper-funcs/__wrapper_exec.c index 2c0894c..bbdb103 100644 --- a/libsandbox/wrapper-funcs/__wrapper_exec.c +++ b/libsandbox/wrapper-funcs/__wrapper_exec.c @@ -182,17 +182,36 @@ WRAPPER_RET_TYPE WRAPPER_NAME(WRAPPER_ARGS_PROTO) save_errno(); #ifndef EXEC_NO_FILE + const char *check_path = path; + char *mem1 = NULL, *mem2 = NULL; # ifndef EXEC_NO_PATH /* Some exec funcs always operate on full paths, while others * will search $PATH if the specified name lacks a slash. */ - if (strchr(path, '/')) + char *envpath = getenv("PATH"); + if (!strchr(check_path, '/') && envpath) { + size_t len_path = strlen(check_path); + char *p, *pp; + check_path = NULL; + pp = envpath = mem1 = xstrdup(envpath); + p = strtok_r(envpath, ":", &pp); + while (p) { + mem2 = xrealloc(mem2, strlen(p) + 1 + len_path + 1); + sprintf(mem2, "%s/%s", p, path); + if (access(mem2, R_OK) == 0) { + check_path = mem2; + break; + } + p = strtok_r(NULL, ":", &pp); + } + } + # endif - { - if (!SB_SAFE(path)) - return result; + if (check_path) { + if (!SB_SAFE(check_path)) + goto done; - sb_check_exec(path, argv); + sb_check_exec(check_path, argv); } #endif @@ -217,6 +236,11 @@ WRAPPER_RET_TYPE WRAPPER_NAME(WRAPPER_ARGS_PROTO) --recursive; #endif +#ifndef EXEC_NO_FILE + done: + free(mem1); + free(mem2); +#endif return result; } -- cgit v1.2.3-65-gdbad