From 6787a57af73558f949b33a6479d0ba451d078593 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sat, 6 Apr 2024 11:19:34 -0400 Subject: [PATCH] Avoid using /tmp for qrexec return pipes This avoids a privilege escalation from unprivileged users (not in the "qubes" group). Fixes: QubesOS/qubes-issues#9097 --- lib/qubes-rpc-multiplexer | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/lib/qubes-rpc-multiplexer b/lib/qubes-rpc-multiplexer index eea0ca30..0c34d740 100755 --- a/lib/qubes-rpc-multiplexer +++ b/lib/qubes-rpc-multiplexer @@ -1,22 +1,25 @@ #!/bin/sh -l +# we don't use globbing, disable it +set -f -if [ -z "$QREXEC_SERVICE_PATH" ]; then +if [ -z "${QREXEC_SERVICE_PATH+x}" ]; then QREXEC_SERVICE_PATH=/usr/local/etc/qubes-rpc:/etc/qubes-rpc fi +tmpdir=${XDG_RUNTIME_DIR-/tmp} # write stderr to both calling party and local log; be very careful about # closing file descriptors here - if either stdout or stderr will not be closed # when service process does the same - service call will hang (waiting for EOF # on stdout/stderr) -stderr_pipe=/tmp/qrexec-rpc-stderr.$$ -mkfifo $stderr_pipe +stderr_pipe=$tmpdir/qrexec-rpc-stderr.$$ +mkfifo -- "$stderr_pipe" # tee can't write to file descriptor, nor /proc/self/fd/2 (EXIO on open) -return_stderr_pipe=/tmp/qrexec-rpc-stderr-return.$$ -mkfifo $return_stderr_pipe -{ cat <$return_stderr_pipe >&2 2>/dev/null; rm -f $return_stderr_pipe; } /dev/null & -{ tee $return_stderr_pipe <$stderr_pipe |\ - logger -t "$1-$2"; rm -f $stderr_pipe; } /dev/null 2>&1 & -exec 2>$stderr_pipe +return_stderr_pipe=$tmpdir/qrexec-rpc-stderr-return.$$ +mkfifo -- "$return_stderr_pipe" +{ cat <"$return_stderr_pipe" >&2 2>/dev/null; rm -f -- "$return_stderr_pipe"; } /dev/null & +{ tee -- "$return_stderr_pipe" <"$stderr_pipe" | + logger -t "$1-$2"; rm -f -- "$stderr_pipe"; } /dev/null 2>&1 & +exec 2>"$stderr_pipe" if ! [ $# = 2 -o $# = 4 ] ; then echo "$0: bad argument count, usage: $0 SERVICE-NAME REMOTE-DOMAIN-NAME [REQUESTED_TARGET_TYPE REQUESTED_TARGET]" >&2