Re: RFS: tleds 1.05beta10-9

To: debian-qa@lists.debian.org
Subject: Re: RFS: tleds 1.05beta10-9
From: Russ Allbery <rra@stanford.edu>
Date: Fri, 26 Aug 2005 17:37:59 -0700
Message-id: <[🔎] 87d5o0xli0.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20050826230401.GA4719@tennyson.netexpress.net> (Steve Langasek's message of "Fri, 26 Aug 2005 16:04:01 -0700")
References: <[🔎] 20050819224414.GA7577@twcny.rr.com> <[🔎] 87br3nx1af.fsf@windlord.stanford.edu> <[🔎] 87wtmbprwp.fsf_-_@windlord.stanford.edu> <[🔎] 20050826230401.GA4719@tennyson.netexpress.net>

Steve Langasek <vorlon@debian.org> writes:

> The tmp file handling in this version is definitely improved, but it
> seems that only root is completely protected from malicious pidfiles:

> - the user pidfile is created with a constant name
> - when opening the pidfile, the ownership is not checked
> - there is a race condition when using -k, where a new pidfile can be
>   created after the old tleds process has exited but before the current
>   process checks whether it succeeded.  (A rather large race condition,
>   too -- tleds -k sleeps for 3 seconds, and no process should take that
>   long to shut down on a modern system. :)

This is a good point.  I didn't look closely enough at the user stuff
rather than the root stuff.

> So an attack vector here is that the user calls tleds -k, the attacker
> replaces the pidfile as soon as it's been removed with one of his own,
> and tleds -k returns an error to the user; the user then re-runs tleds
> -k without looking, and an arbitrary process belonging to the user is
> signalled.

> Do you think this is worth fixing up before considering bug #276789
> fixed?  There are probably very few processes that a stray SIGUSR1 can
> do damage to on a typical system, but if it's worth protecting root
> from, it's probably worth protecting users from as well.  In any case,
> this is not the bug that 276789 is primarily concerned with.

Sure, I can fix this.  It's not that difficult of a fix.  I'll put up a
fresh package sometime tomorrow.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Packages which aren't getting into "testing"
  - From: Nathanael Nerode <neroden@twcny.rr.com>
- Re: Packages which aren't getting into "testing"
  - From: Russ Allbery <rra@stanford.edu>
- RFS: tleds 1.05beta10-9 (was: Packages which aren't getting into "testing")
  - From: Russ Allbery <rra@stanford.edu>
- Re: RFS: tleds 1.05beta10-9 (was: Packages which aren't getting into "testing")
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: RFS: tleds 1.05beta10-9 (was: Packages which aren't getting into "testing")
Next by Date: Status update for the Debian QA Meeting in Darmstadt, Germany
Previous by thread: Re: RFS: tleds 1.05beta10-9 (was: Packages which aren't getting into "testing")
Next by thread: Re: RFS: tleds 1.05beta10-9
Index(es):
- Date
- Thread