Bug 58571
| Summary: | File system space checks too aggresive. | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Michal Jaegermann <michal> |
| Component: | diskcheck | Assignee: | Harald Hoyer <harald> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | alpha | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2002-01-22 10:59:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Michal Jaegermann
2002-01-20 04:52:14 UTC
Apologies. I found that this bogosity really comes from 'diskcheck' and not from 'fam'. But when I found that this program reads its config file with 'exec(line)' then my lower jaw truly fell to the floor. So every sudo'er with a write access to this config file may execute absolutely anything on a system? Great stuff!!! How many other surprises of that kind? hmm, one can execute many programs, if /etc is belonging to him... will include floppies to omit as well :) I do not think that you understand security implications. Some "junior administrator" may have a write access to a configuration file (ownership and permits do not have be like in times of an installation) without owning /etc. That kind of "pseudo-parsing" with 'exec' is a VERY BAD IDEA in any language. A program is running from cron and you are finding yourself executing with root priviledges a code you never intended to. Oops! Murphy Law also assures that somebody will make a stupid typo in a config file and will execute an unitended code which will affect the rest of a program. I do not have harmful examples right now but life will provide something like that one day. :-) Also puzzles like "Disk Usage Monitor" should not pretend to be program identifiers in mail. At minimum this should be "Disk Usage Monitor (diskcheck)". I realize now that it is possible to fix that in a config file but I should not have a head scratcher about what was sending that in the first place. > I do not think that you understand security implications. Try me ... > Some "junior administrator" may have a write access to a configuration file > (ownership and permits do not have be like in times of an installation) > without owning /etc. > That kind of "pseudo-parsing" with 'exec' is a VERY BAD IDEA in any > language. A program is running from cron and you are finding yourself > executing with root priviledges a code you never intended to. Oops! Agreed ... (note: I would never do that :) > Murphy Law also assures that somebody will make a stupid typo in a config > file and will execute an unitended code which will affect the rest of a > program. I do not have harmful examples right now but life will provide > something like that one day. :-) I hate that "Murphy"! > Also puzzles like "Disk Usage Monitor" should not pretend to be program > identifiers in mail. At minimum this should be "Disk Usage Monitor > (diskcheck)". > I realize now that it is possible to fix that in a config file but I should > not have a head scratcher about what was sending that in the first place. Agreed. fixed in diskcheck-1.2-1 |