Bug 458504

Summary: [SECURITY] Wipes system at startup
Product: [Fedora] Fedora Reporter: Enrico Scholz <rh-bugzilla>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 9CC: k.georgiou, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-24 20:14:53 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 458652    

Description Enrico Scholz 2008-08-08 19:22:10 EDT
Description of problem:

/etc/rc.sysinit makes

| find -L /var/lock /var/run ! -type d -exec rm -f {} \;

at every start.  It is common practice to have daemon-writable subdirs below /var/run or /var/lock (e.g. /var/run/openldap).  When such a daemon is compromised, an attack could create a

| /var/run/openldap/foo -> /

symlink which wipes whole system at next startup.


Version-Release number of selected component (if applicable):

initscripts-8.76.2-1.x86_64


How reproducible:

100%

Steps to Reproduce:
1. mkdir /var/run/foo
2. chown nobody:nobody /var/run/foo
3. runuser nobody -s /bin/sh 'ln -s / /var/run/foo/bar'
4. reboot
  
Actual results:

a lot of 'command not found' errors on startup


Additional info:

Kudos to Herbert Poetzl about discovering this vulnerability.
Comment 1 Fedora Update System 2008-08-29 13:14:57 EDT
initscripts-8.76.3-1 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/initscripts-8.76.3-1
Comment 2 Fedora Update System 2008-09-10 02:45:35 EDT
initscripts-8.76.3-1 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update initscripts'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-7667
Comment 3 Fedora Update System 2008-09-24 20:14:44 EDT
initscripts-8.76.3-1 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.