Re: RFS: tleds 1.05beta10-9
Steve Langasek <vorlon@debian.org> writes:
> The tmp file handling in this version is definitely improved, but it
> seems that only root is completely protected from malicious pidfiles:
> - the user pidfile is created with a constant name
> - when opening the pidfile, the ownership is not checked
> - there is a race condition when using -k, where a new pidfile can be
> created after the old tleds process has exited but before the current
> process checks whether it succeeded. (A rather large race condition,
> too -- tleds -k sleeps for 3 seconds, and no process should take that
> long to shut down on a modern system. :)
This is a good point. I didn't look closely enough at the user stuff
rather than the root stuff.
> So an attack vector here is that the user calls tleds -k, the attacker
> replaces the pidfile as soon as it's been removed with one of his own,
> and tleds -k returns an error to the user; the user then re-runs tleds
> -k without looking, and an arbitrary process belonging to the user is
> signalled.
> Do you think this is worth fixing up before considering bug #276789
> fixed? There are probably very few processes that a stray SIGUSR1 can
> do damage to on a typical system, but if it's worth protecting root
> from, it's probably worth protecting users from as well. In any case,
> this is not the bug that 276789 is primarily concerned with.
Sure, I can fix this. It's not that difficult of a fix. I'll put up a
fresh package sometime tomorrow.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
Reply to: