Restrict zpool iostat/status -c to search path

zpool iostat/status -c is supposed to be restricted
by its search path, but currently isn't. To prevent
arbitrary scripts from being executed, disallow '/'
from commands.

Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Tony Hutter <[email protected]>
Reviewed-by: George Melikov <[email protected]>
Reviewed-by: Ned Bass <[email protected]>
Signed-off-by: Giuseppe Di Natale <[email protected]>
Closes #6353 
Closes #6359 

2 files changed, 5 insertions, 1 deletions

diff --git a/cmd/zpool/zpool_iter.c b/cmd/zpool/zpool_iter.c
index abb1b1798..e55c2f102 100644
--- a/cmd/zpool/zpool_iter.c
+++ b/cmd/zpool/zpool_iter.c
@@ -565,6 +565,9 @@ vdev_run_cmd_thread(void *cb_cmd_data)
 		char *dir = NULL, *sp, *sprest;
 		char fullpath[MAXPATHLEN];
 
+		if (strchr(cmd, '/') != NULL)
+			continue;
+
 		sp = zpool_get_cmd_search_path();
 		if (sp == NULL)
 			continue;
diff --git a/man/man8/zpool.8 b/man/man8/zpool.8
index 78a6542d7..02853342c 100644
--- a/man/man8/zpool.8
+++ b/man/man8/zpool.8
@@ -1464,7 +1464,8 @@ output. Users can run any script found in their
 .Pa ~/.zpool.d
 directory or from the system
 .Pa /etc/zfs/zpool.d
-directory. The default search path can be overridden by setting the
+directory. Script names containing the slash (/) character are not allowed.
+The default search path can be overridden by setting the
 ZPOOL_SCRIPTS_PATH environment variable. A privileged user can run
 .Fl c
 if they have the ZPOOL_SCRIPTS_AS_ROOT