shared/pager: add support for more(1) pager in secure mode#41503
Conversation
github-actions
Bot
added
documentation
util-lib
please-review
|
The problem is that we need to support systems with older |
keszybz
added
reviewed/needs-rework 🔨
That makes sense to me. Now, is there a common way this is done in the systemd code base ? I was thinking of a helper function in |
|
urks, i'd really prefer if we wouldn't have to add support for numerous XYZSECURE env vars for all the pagers around. Can we get util-linux to parse $PAGERSECURE in more in addition to MORESECURE? it would make a ton of set to augment $PAGER wit $PAGERSECURE, and if this indeed is a generic concept now, then the env var should be generic too. i understand this would not really help with figuring out if a page supports the concept at all, but that's a separate issue. |
|
our current baseline for util-linux is 2.41 right now (see README). 2.42 is not that far off, we might consider just bumping the dep to that whic would solve the MORESECURE feature check issue? that said, not sure how much that'd help if we push for PAGERSECURE instead... |
|
@poettering when I added support for secure mode in more I also included PAGERSECURE as env, so yes this should be a good way to go. |
|
btw, here's another issue. not sure how much i care, and i just wanted to mention that this exists, but buybox provides it's own crappy implementation of "more" with a very different feature set. |
|
but hmm, i really don't care about busybox and we official do not offer compat with it anyway, so maybe let's ignore the busybox angle. if you change the PR to use PAGERSECURE and drop MORESECURE and then bump the baseline i think we should be fine. |
|
This sounds plausible! Fixing ... |
cgoesche
force-pushed
the
more_pager_secure_env_support
branch
from
e863e6c to
5538d04
Compare
github-actions
Bot
added
please-review
The more(1) pager (part of util-linux) now supports secure mode, which can be enabled with the PAGERSECURE environment variable. Adding support for more(1) in secure mode serves as an alternative for systems that do not have less installed or for users who prefer it. Commit d2fce960f9cac740 introduced secure mode in more(1) and the new feature is available in version 2.42 of util-linux. Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
This baseline bump is mainly to support the secure mode feature in more(1) that has been made available since util-linux v2.42. Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
cgoesche
force-pushed
the
more_pager_secure_env_support
branch
from
5538d04 to
df87d75
Compare
github-actions
Bot
removed
the
please-review
|
Cutting off anything but util-linux 2.42 cuts off CentOS 9, CentOS 10, Fedora 42, Fedora 43 and the just released Debian 13 and Ubuntu 26.04. I don't think we can't really do this just yet...? It's basically everything but archlinux and rawhide... |
|
|
I had just seen the doc commit, but looking at the diff it doesn't look like it changes the baseline at all? What is the failure mode if I run this with util-linux 2.41? What breaks precisely? |
The failure mode is that systemctl will open a version of more(1) that does not support secure mode, which could allow an unprivileged user to execute a shell as the EUID :( Also, @bluca is there a place other than README where the baseline for runtime requirements is updated, I could not find anything obvious. Either way, it might be a good idea to backport the secure mode to util-linux 2.41 at least. @karelzak what do you think ? |
When you describe it like that, I really don't think this is a footgun we want to introduce. This needs at the very least to be enabled based on the version of util-linux used at build time, given we use libmount/libblkid there is a strong correlation anyway, so that should suffice. |
|
Ok, so if I understand correctly this implies the introduction of something like more_pager = dependency('more',
version : '>= 2.42',
required : get_option('more_pager'))
have = more_pager.found()
conf.set10('HAVE_SECURE_MORE_PAGER', have)Now, do we want to make PAGERSECURE env dependent on more(1)'s availability (probably not) ? Either way, we can then use a macro to add more(1) to the secure pager list or if that is ugly an inline #if HAVE_SECURE_MORE_PAGER
#define SECURE_MORE_PAGER "more",
#else
#define SECURE_MORE_PAGER
#endif /* HAVE_SECURE_MORE_PAGER */
...
if (use_secure_mode && !STR_IN_SET(pagers[i], "less", SECURE_MORE_PAGER "(built-in)"))
...Makes sense ? |
|
Something like that, can even use the existing libmount or libfdisk checks without checking for more, given it's the same sources |
|
I was thinking of separating the check, because I was not too sure what side effects bumping the baseline for libmount to v2.42 could have. Also, wouldn't it make sense to implicitly check for secure more(1), simply for |
|
sure |
|
Cool! Preparing a new PR then :) |
|
From a long-term point of view, maybe we can add util-linux.pc so we can ask for supported features with |
That would be nice, yes please! |
|
I don't think this should have been merged. That util-linux release is only present in a few places right now, and this means that unless people carefully check, we're opening them up to a vulnerability. This is just the wrong way to approach this. |
5 participants
The more(1) pager (part of util-linux) now supports secure mode,
which can be enabled with the MORESECURE environment variable.
Adding support for more(1) in secure mode serves as an alternative
for systems that do not have less installed or for users who prefer
it.
Commit d2fce960f9cac740 introduced secure mode in more(1) and the
new feature is available in version 2.42 of util-linux.