Skip to content

[v13] Better control on user injected environment values#36134

Merged
jentfoo merged 1 commit intobranch/v13from
jent/mac_env_filter_fix-v13
Dec 29, 2023
Merged

[v13] Better control on user injected environment values#36134
jentfoo merged 1 commit intobranch/v13from
jent/mac_env_filter_fix-v13

Conversation

@jentfoo
Copy link
Copy Markdown
Contributor

@jentfoo jentfoo commented Dec 29, 2023

v13 backport of PR #36132

changelog: macOS agent environment filtering documented under GHSA-vfxf-76hv-v4w4

This commit includes two changes:
  * In `environment` we expanded the list of MacOS environment values which should be filtered.  It was demonstrated that these can be used to get code execution in MacOS.
  * In `reexec` we no longer provide the cmdmsg.Environment for the `teleport exec`.  As part of the development of a9055bc it was attempted to fully clear out the environment, but testing showed that to be potentially problematic.  It was believed the safest option was to use the cmd environment, however this introduces a new source of environment variables.  Because this exec happens under `root` this is particularly dangerous (even more so when combined with the missed OSX values mentioned above).  As such we now are only providing the filtered exec environment, which is a closer (but safer) option to the functionality prior to a9055bc.
@jentfoo jentfoo requested a review from AntonAM December 29, 2023 18:32
@jentfoo jentfoo added this pull request to the merge queue Dec 29, 2023
Merged via the queue into branch/v13 with commit d46e5cb Dec 29, 2023
@jentfoo jentfoo deleted the jent/mac_env_filter_fix-v13 branch December 29, 2023 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants