Bug 34933

Summary: netreport function in network-scripts seems to be insecure
Product: [Retired] Red Hat Linux Reporter: lumpy_ <dynamo>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: dr, dynamo, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-04-06 16:00:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description lumpy_ 2001-04-06 01:12:02 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386)


it seems that netreport and the network-scripts allow arbitrary pid killing

Reproducible: Didn't try
Steps to Reproduce:

	from man 7 signal:
1.      SIGIO       23,29,22     A      I/O now possible (4.2 BSD)
      ...
      The letters in the  "Action"  column  have  the  following
       meanings:

       A      Default action is to terminate the process.

(note that on bsd the sigio is discarded by default)

2. ls -l /sbin/netreport
        -rwxr-sr-x    1 root     root         3860 Mar 13 14:41
/sbin/netreport
(which creates pid files in /var/run/netreport/
        drwxrwxr-x    2 root     root         4096 Apr  5 18:17 netreport
(which has files such as this created when you run it)
        ----------    1 lumpy    root            0 Apr  5 18:15 19769
        ----------    1 lumpy    root            0 Apr  5 18:17 19968
(note that the pid file is not removed automagically.  i tested this by
 executing sh, running netreport, exiting the shell, and ls'ing again)

These files are apparently used by:
3. /etc/sysconfig/network-scripts/network-functions

this script contains the following function:

do_netreport ()
{
  # Notify programs that have requested notification
  ( cd /var/run/netreport || exit
    for i in * ; do
      [ -f $i ] && \
        kill -SIGIO $i >/dev/null 2>&1 || \
          rm -f $i >/dev/null 2>&1
    done
  )
}

4.
So it looks like you should be able to kill arbitrary processes.

Im new to linux, but not unix.  I have to rely on the manpages, as this
box is not mine and i really dont want to crash it.  What do you guys
think?  Is this a known issue that i just didnt know about?



Actual Results:  i couldnt test -- couldnt kill the box because it was in
production

Expected Results:  that arbitrary processes created with pids from stale
netreports would be killed

Comment 1 Daniel Roesen 2001-04-06 08:15:02 UTC
Yep. I agree to the analysis. You don't have control over which process gets
killed, but it's serious anyway I think. But sadly I see no workaround :-(

Comment 2 lumpy_ 2001-04-06 15:35:08 UTC
There is one way that you could do it easilly but im not sure it would fully
resolve the
security issues.  (Note that i just woke up :)):

	If you set your user id to that of the user who created the file before killing
the 
	process... that way when its not your process it wont let you send SIGIO.

Comment 3 Bill Nottingham 2001-04-06 18:03:46 UTC
Will be fixed in 5.83-1.