[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Serious bug in gdomap (from gnustep-base-1.3.3)
From: |
Richard Frith-Macdonald |
Subject: |
Re: Serious bug in gdomap (from gnustep-base-1.3.3) |
Date: |
Tue, 2 Jul 2002 15:29:34 +0100 |
On Tuesday, July 2, 2002, at 11:02 AM, James Kehl wrote:
Can I please beg you to make gdomap run as a user other than root by
default!?
Yes ... but I won't. It has to run as root to bind to the (priviliged)
gdomap port
registered with IANA.
I am using gnustep-base-1.3.3 compiled from source; running on RedHat
Linux 7.3. Everything is default apart from using flattened paths in
gnustep-make.
Today's problem:
--
[shykta@mixmaster shykta]$ id -a
uid=500(shykta) gid=100(users) groups=100(users),3(sys),20(games)
[shykta@mixmaster shykta]$ la /etc/passwd
-rw-r--r-- 1 root root 1592 Jul 2 19:15 /etc/passwd
[shykta@mixmaster shykta]$ tail -n 1 /etc/passwd
demouser:x:505:505::/home/demouser:/bin/bash
[shykta@mixmaster shykta]$ /usr/GNUstep/System/Tools/gdomap -I
/etc/passwd
[shykta@mixmaster shykta]$ tail -n 1 /etc/passwd
28812
--
That's a very, very bad thing to happen.
Yes ... potentially destructive. I fixed it in CVS by moving the code
which
writes the pid to file, so that it executes after gdomap setuids away
from
root ... I don't know why it was before that point ... a big oversight.
I'm sure there's even a creative way for a unprivileged user to get
root access using this bug.
I doubt it - the only way I can think of is if writing the pid to a file
owned by another root process caused that process to do something it
shouldn't.
I'd probably consider that a bug in the other program.
I don't want to sound unfriendly (I like GNUstep) but I'm going to wait
7 days for a response to this email, and if I haven't heard from you by
then, I'll be thinking about how to disclose this.
( a' la RFPolicy - http://www.wiretrip.net/rfp/policy.html )
Well, by mailing to a public mailing list which is mirrored to a usenet
newsgroup,
you've already done that!
I recommend anyone running GNUstep on a system where there are local
users able to
access the gdomap executable to upgrade gdomap from CVS immediately.