Hi, I am currently working on a new release of grep-dctrl, which is a grep-like program specializing to the Debian control file format. It is used by several packages, and its incarnation grep-available seems to be rather popular. Currently grep-available and its sister program grep-status are symlinks to the grep-dctrl binary. Their behavioral difference is that they choose a different input file if none is specified on the command line. For grep-dctrl, it is always the standard input stream. For other names of the program, it depends on the configuration. The program looks in configuration files to find a rule that tells it what the default file name is. The shipped configuration has grep-available using /var/lib/dpkg/available and grep-status using /var/lib/dpkg/status. This file name is, if it is at all used, passed uninterpreted to open(2), so I believe the current scheme is not a security problem. However, I have a feature request (#207440) asking for a new symlink alias for the program, one that gets its default input from the "apt-cache dumpavail" command. I agree that it would be a good feature to have. My plan of action is to add support for "file names" that are passed to /bin/sh as commands, whose standard output stream becomes the default input. Now, since this will involve allowing execution of arbitrary "out of band" code, I am concerned that I may introduce a security problem. For example, if /etc/grep-dctrlrc or ~root/.grep-dctrl.rc becomes world-writable for some reason (it isn't by design, of course), a malicious local user can add code that will be executed as root when root next runs grep-available. In your opinion, is there any potential for a security problem in this scheme? If there is, what should I do about it? -- Antti-Juhani Kaijanaho, Debian developer http://www.iki.fi/gaia/
Attachment:
signature.asc
Description: Digital signature