[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: tleds 1.05beta10-9

Steve Langasek <vorlon@debian.org> writes:

> The tmp file handling in this version is definitely improved, but it
> seems that only root is completely protected from malicious pidfiles:

> - the user pidfile is created with a constant name
> - when opening the pidfile, the ownership is not checked
> - there is a race condition when using -k, where a new pidfile can be
>   created after the old tleds process has exited but before the current
>   process checks whether it succeeded.  (A rather large race condition,
>   too -- tleds -k sleeps for 3 seconds, and no process should take that
>   long to shut down on a modern system. :)

This is a good point.  I didn't look closely enough at the user stuff
rather than the root stuff.

> So an attack vector here is that the user calls tleds -k, the attacker
> replaces the pidfile as soon as it's been removed with one of his own,
> and tleds -k returns an error to the user; the user then re-runs tleds
> -k without looking, and an arbitrary process belonging to the user is
> signalled.

> Do you think this is worth fixing up before considering bug #276789
> fixed?  There are probably very few processes that a stray SIGUSR1 can
> do damage to on a typical system, but if it's worth protecting root
> from, it's probably worth protecting users from as well.  In any case,
> this is not the bug that 276789 is primarily concerned with.

Sure, I can fix this.  It's not that difficult of a fix.  I'll put up a
fresh package sometime tomorrow.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Reply to: