Bug 34933
Summary: | netreport function in network-scripts seems to be insecure | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | lumpy_ <dynamo> |
Component: | initscripts | Assignee: | Bill Nottingham <notting> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.2 | CC: | dr, dynamo, rvokal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-04-06 16:00:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
lumpy_
2001-04-06 01:12:02 UTC
Yep. I agree to the analysis. You don't have control over which process gets killed, but it's serious anyway I think. But sadly I see no workaround :-( There is one way that you could do it easilly but im not sure it would fully resolve the security issues. (Note that i just woke up :)): If you set your user id to that of the user who created the file before killing the process... that way when its not your process it wont let you send SIGIO. Will be fixed in 5.83-1. |