aboutsummaryrefslogtreecommitdiff
path: root/contrib/kiss-link
diff options
context:
space:
mode:
authormerakor <cem@ckyln.com>2020-05-18 00:12:29 +0000
committermerakor <cem@ckyln.com>2020-05-18 00:12:29 +0000
commite12c404e13e8bc0eaab4b1aeeb3a6af0cc79dd49 (patch)
tree8a4e05e479d9c1e4c8c2aa171b02f2d8df06d2a8 /contrib/kiss-link
parent91aaf984c843df030b33c2dc9419dfecc5da95a5 (diff)
downloadcpt-1.22.3.tar.gz
kiss: prevent privilige escalations through user defined hooks1.22.3
During installation, the script is run as root, but out KISS_HOOK variable stays the same. This is a critical bug since a user can only have permissions to install packages as root, but not for any other privilige escalation. A user can abuse the KISS_HOOK in order to become root, possibly with a `/sbin/login` command on the hook file. This change checks for a fourth argument and overrides the KISS_HOOK to `$KISS_ROOT/etc/kiss-hook` FossilOrigin-Name: 67041b182d9524fcfa8292e7167f249b99851129cda0d7fe9e4fdff8388063b6
Diffstat (limited to 'contrib/kiss-link')
0 files changed, 0 insertions, 0 deletions