bug-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Serious bug in gdomap (from gnustep-base-1.3.3)


From: Richard Frith-Macdonald
Subject: Re: Serious bug in gdomap (from gnustep-base-1.3.3)
Date: Tue, 2 Jul 2002 15:29:34 +0100

On Tuesday, July 2, 2002, at 11:02 AM, James Kehl wrote:

Can I please beg you to make gdomap run as a user other than root by default!?

Yes ... but I won't. It has to run as root to bind to the (priviliged) gdomap port
registered with IANA.

I am using gnustep-base-1.3.3 compiled from source; running on RedHat Linux 7.3. Everything is default apart from using flattened paths in gnustep-make.

Today's problem:
--
[shykta@mixmaster shykta]$ id -a
uid=500(shykta) gid=100(users) groups=100(users),3(sys),20(games)
[shykta@mixmaster shykta]$ la /etc/passwd
-rw-r--r--    1 root     root         1592 Jul  2 19:15 /etc/passwd
[shykta@mixmaster shykta]$ tail -n 1 /etc/passwd
demouser:x:505:505::/home/demouser:/bin/bash
[shykta@mixmaster shykta]$ /usr/GNUstep/System/Tools/gdomap -I /etc/passwd
[shykta@mixmaster shykta]$ tail -n 1 /etc/passwd
28812
--

That's a very, very bad thing to happen.

Yes ... potentially destructive. I fixed it in CVS by moving the code which writes the pid to file, so that it executes after gdomap setuids away from
root ... I don't know why it was before that point ... a big oversight.

I'm sure there's even a creative way for a unprivileged user to get root access using this bug.

I doubt it - the only way I can think of is if writing the pid to a file
owned by another root process caused that process to do something it shouldn't.
I'd probably consider that a bug in the other program.

I don't want to sound unfriendly (I like GNUstep) but I'm going to wait 7 days for a response to this email, and if I haven't heard from you by then, I'll be thinking about how to disclose this.
( a' la RFPolicy - http://www.wiretrip.net/rfp/policy.html )

Well, by mailing to a public mailing list which is mirrored to a usenet newsgroup,
you've already done that!

I recommend anyone running GNUstep on a system where there are local users able to
access the gdomap executable to upgrade gdomap from CVS immediately.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]