Перейти к файлу
Martin Pitt dd272d2b0c sosreport: Fix command injection with crafted report names [CVE-2024-2947]
Files in /var/tmp/ are controllable by any user. In particular, an
unprivileged user could create an sosreport* file containing a `'` and a
shell command, which would then run with root privileges when the
admin Cockpit user tried to delete the report.

Use the `cockpit.file()` API instead, which entirely avoids shell. The
main motivation for using shell and the glob was to ensure that the
auxiliary files like *.gpg and *.sha256 get cleaned up -- do that
explicitly (which is much safer anyway), and let our tests make sure
that we don't leave files behind.

https://bugzilla.redhat.com/show_bug.cgi?id=2271614
https://bugzilla.redhat.com/show_bug.cgi?id=2271815

Cherry-picked from main commit 9c4cc9b6df
2024-03-28 09:48:08 +01:00
.cockpit-ci .cockpit-ci: pin our container version 2024-03-18 13:26:34 +01:00
.fmf test: Add FMF test metadata and scripts 2021-03-12 20:21:29 +01:00
.github misc: move to new tasks container location 2024-03-18 13:26:34 +01:00
containers workflows: Run unit tests in our tasks container 2024-02-20 11:29:02 +01:00
doc guide: stylelint fixes 2024-02-07 16:54:02 +01:00
examples CSS: stylelint fixes 2024-02-07 15:59:17 +01:00
node_modules@6a19faaf27 Bump js-sha1 from 0.6.0 to 0.7.0 2024-02-09 07:23:41 +01:00
pkg sosreport: Fix command injection with crafted report names [CVE-2024-2947] 2024-03-28 09:48:08 +01:00
plans fmf: Plumb through $TEST_* variables for unexpected messages 2023-08-28 08:54:58 +02:00
po po: Update from Fedora Weblate 2024-02-08 12:08:03 +01:00
selinux selinux: Cover migration to /run 2024-02-07 14:45:21 +01:00
src test-router: use a different username 2024-03-18 13:26:34 +01:00
test sosreport: Fix command injection with crafted report names [CVE-2024-2947] 2024-03-28 09:48:08 +01:00
tools workflows: Drop i386 unit test/container 2024-02-20 11:29:02 +01:00
vendor vendor: update to the latest systemd_ctypes 2024-02-02 16:16:19 +01:00
.eslintignore Revert "Ignore sizzle.js in ESLint" 2022-05-23 13:33:09 +02:00
.eslintrc.json build.js: Move our front end build tool from webpack to esbuild 2023-03-27 15:22:36 +02:00
.flake8 .flake8: limit to rules not covered by ruff 2023-07-04 16:45:11 +02:00
.flowconfig kubernetes: Add Virtual machines side tab 2018-01-22 08:00:50 +01:00
.gitignore .gitignore: add .tox 2023-07-17 16:58:42 +02:00
.gitleaks.toml gitleaks: Ignore mock SSH keys 2022-10-03 09:01:53 +02:00
.gitmodules modules: rename to vendor 2023-09-07 17:48:36 +02:00
.stylelintrc.json stylelint: Drop checks which don't exist in version 16 any more 2024-02-07 15:59:17 +01:00
AUTHORS AUTHORS: Refer to git information 2019-03-06 16:41:45 +01:00
COPYING Initial commit 2013-11-01 13:42:29 -04:00
HACKING.md misc: move to new tasks container location 2024-03-18 13:26:34 +01:00
Makefile.am Drop Python bridge 2024-02-14 09:23:36 +01:00
README.md various: replace mentions of IRC with Matrix 2023-03-29 15:41:28 +02:00
autogen.sh build: write a bare minimal PEP 517 build backend 2023-05-12 11:01:02 +02:00
build.js build: Drop ESLint from esbuild 2024-02-07 18:35:09 +01:00
configure.ac Drop Python bridge 2024-02-14 09:23:36 +01:00
files.js package.json: Update @patternfly/patternfly, @patternfly/react-core, @patternfly/react-icons, @patternfly/react-styles, @patternfly/react-table, @patternfly/react-tokens 2023-07-26 06:19:58 +02:00
package.json Bump js-sha1 from 0.6.0 to 0.7.0 2024-02-09 07:23:41 +01:00
packit.yaml packit: Put back build job 2024-02-15 10:17:19 +01:00
pyproject.toml Drop Python bridge 2024-02-14 09:23:36 +01:00

README.md

Cockpit

A sysadmin login session in a web browser

cockpit-project.org

Cockpit is an interactive server admin interface. It is easy to use and very lightweight. Cockpit interacts directly with the operating system from a real Linux session in a browser.

Using Cockpit

You can install Cockpit on many Linux operating systems including Debian, Fedora and RHEL.

Cockpit makes Linux discoverable, allowing sysadmins to easily perform tasks such as starting containers, storage administration, network configuration, inspecting logs and so on.

Jumping between the terminal and the web tool is no problem. A service started via Cockpit can be stopped via the terminal. Likewise, if an error occurs in the terminal, it can be seen in the Cockpit journal interface.

You can also easily add other machines that have Cockpit installed and are accessible via SSH and jump between these hosts.

Development