Bug 680790
| Summary: | logrotate: TOCTOU race condition by creation of log files after rotation (ability to change file owner / mode on arbitrary system files) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jkaluza, petr.uzel, tsmetana |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-11 06:30:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Clarified flaw details from Stefan Fritsch of Debian Security Team:
===================================================================
Here the race condition is between the rename
950 if (!debug && rename(oldName, newName)) {
and the creation of the new file at
1117 fd = createOutputFile(log->files[logNum], O_CREAT | O_RDWR,
&sb);
If an attacker can link a file into place in that race period, the
permissions of that file will be changed. It is not necessary for the
attacker to have write or chmod permissions on the log file. The fix
is to use O_EXCL.
|
A file access race condition (time-of-check, time-of-use, TOCTOU race condition) was found in the way logrotate utility created the log files after rotation, when their immediate creation ("create" configuration option) was requested. A local attacker could use this flaw to change file owner or mode on arbitrary system files to the file owner and mode specified in logrotate's configuration. (if the logrotate utility was run under privileged user, root, and logrotate was run on an attacker controllable directory).