diff options
author | Giuseppe Di Natale <[email protected]> | 2017-07-24 11:53:59 -0700 |
---|---|---|
committer | Brian Behlendorf <[email protected]> | 2017-07-24 11:53:59 -0700 |
commit | d6bcf7ff5e97df3195d34269b1b72952b4a00778 (patch) | |
tree | 1ed95841987537672e5e81bb5e089a2d9aea5b5a /man/man8/zpool.8 | |
parent | b6e5c40382a52206f48cb26cc20ed85294e1b0a9 (diff) |
Restrict zpool iostat/status -c to search path
zpool iostat/status -c is supposed to be restricted
by its search path, but currently isn't. To prevent
arbitrary scripts from being executed, disallow '/'
from commands.
Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Tony Hutter <[email protected]>
Reviewed-by: George Melikov <[email protected]>
Reviewed-by: Ned Bass <[email protected]>
Signed-off-by: Giuseppe Di Natale <[email protected]>
Closes #6353
Closes #6359
Diffstat (limited to 'man/man8/zpool.8')
-rw-r--r-- | man/man8/zpool.8 | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/man/man8/zpool.8 b/man/man8/zpool.8 index 78a6542d7..02853342c 100644 --- a/man/man8/zpool.8 +++ b/man/man8/zpool.8 @@ -1464,7 +1464,8 @@ output. Users can run any script found in their .Pa ~/.zpool.d directory or from the system .Pa /etc/zfs/zpool.d -directory. The default search path can be overridden by setting the +directory. Script names containing the slash (/) character are not allowed. +The default search path can be overridden by setting the ZPOOL_SCRIPTS_PATH environment variable. A privileged user can run .Fl c if they have the ZPOOL_SCRIPTS_AS_ROOT |