Re: Whom the BIND newest vulnerability concerns?

[Russell Coker <russell@coker.com.au>]

On Mon, 15 Nov 1999, Herbert Xu wrote:
>On Mon, Nov 15, 1999 at 07:55:12PM +0100, Russell Coker wrote:
>> 
>> Programs running with group daemon used to run as root!  A program that many
>> people trust enough to run as root is a program that I usually trust enough
>> to give write access to /var/run.
>> Also with the sticky bit on /var/run they can't delete each other's pid files
>> so if such a program is compromised it can't interfere with a running daemon.
>
>But you could create a DoS situation by creating somebody else's PID file.
>If you create the right ones, you might even trick someone from killing an
>important daemon.

To do this properly you should kill the daemon as the user it runs under.  So
to stop the LDAP server you would do:
sudo -u ldap kill `cat /var/run/slapd.pid`

Then if slapd.pid has something other than the pid of the LDAP server (the
only program using the LDAP UID) then the kill command will fail.

With the current situation a daemon can die unexpectedly (SEGV caused by
solar radiation or something) and another process can be unlucky enough to
get it's PID and result in the same situation.

Fixing all the daemons for this will take some work.  But the end result will
protect us from bugs in code, bugs in scripts, and some types of hostile
attacks.

Also keep in mind that only group daemon can create a PID file.  So an
average user won't be able to create one unless they subvert a daemon.

We can't make it absolutely impossible for a misconfigured system to be
broken.  We can't make it impossible for a buggy program to be exploited to
the disadvantage of the administrator.  But we can make it a lot harder for
bad users without expending too much effort.  I believe that my proposal
achieves those aims.

-- 
Electronic information tampers with your soul.