Bug 681898

Summary: DON'T make /var/lock/lockdev world writeable (security issue)
Product: [Fedora] Fedora Reporter: Jan Görig <jgorig>
Component: lockdevAssignee: Jiri Popelka <jpopelka>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: awilliam, jpopelka, kzak, lpoetter, mschmidt, samuel-rhbugs, tflink
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: RejectedBlocker AcceptedNTH
Fixed In Version: lockdev-1.0.3-10.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-21 22:20:51 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 657621    

Description Jan Görig 2011-03-03 09:41:14 EST
Description of problem:
The lockdev uses /var/lock/lockdev for locking instead of /var/lock (introduced in #581884).

/var/lock/lockdev contains only device locks that are world writeable using lockdev utility. This directory should be world writeable (1777) directly.


Version-Release number of selected component (if applicable):
lockdev-1.0.3-8.fc15
Comment 1 Fedora Update System 2011-03-03 10:16:39 EST
Package lockdev-1.0.3-9.fc15:
* should fix your issue,
* was pushed to the Fedora 15 updates-testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lockdev-1.0.3-9.fc15'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/lockdev-1.0.3-9.fc15
then log in and leave karma (feedback).
Comment 2 Fedora Update System 2011-03-04 05:06:21 EST
lockdev-1.0.3-9.fc15 has been pushed to the Fedora 15 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update lockdev'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/lockdev-1.0.3-9.fc15
Comment 3 Fedora Update System 2011-03-09 22:06:23 EST
lockdev-1.0.3-9.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Lennart Poettering 2011-03-31 16:52:05 EDT
This is a gaping security hole. We do not want to allow normal users to fill up /var or /var/run. We do not want a any further /tmp with unrestricted access to the user.

With this in place normal users can fill up the fs trivially thus making it impossible for system software to lock things.

Additional world-writable directories are really not acceptable.

Access to this directory should be allowed only through the lockdev setgid tool and the lock dir should be writable to the group "lock" only, so that random people cannot write things here uncontrolled. The lockdev utility should ensure that only valid device names.

Reopening.
Comment 5 Lennart Poettering 2011-03-31 17:06:40 EDT
Also, the dir cannot be sticky:

https://bugzilla.redhat.com/show_bug.cgi?id=145264#c1
Comment 6 Tim Flink 2011-04-01 14:13:03 EDT
Discussed at the 2011-04-01 blocker bug review meeting. We feel that this is not a serious enough security issue to be a beta blocker. Rejected as blocker for F15Beta, will be re-visited as a final blocker.
Comment 7 Jiri Popelka 2011-04-04 04:24:51 EDT
Thanks for the description Lennart,

I'll revert the change
and also remove the /etc/tmpfiles.d/lockdev.conf completely (bug #692714).
Comment 8 Fedora Update System 2011-04-05 08:49:05 EDT
lockdev-1.0.3-10.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/lockdev-1.0.3-10.fc15
Comment 9 Fedora Update System 2011-04-05 16:25:15 EDT
Package lockdev-1.0.3-10.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lockdev-1.0.3-10.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/lockdev-1.0.3-10.fc15
then log in and leave karma (feedback).
Comment 10 Lennart Poettering 2011-04-06 14:41:04 EDT
(BTW, sorry for sounding that harsh in my first comment)
Comment 12 Adam Williamson 2011-04-15 15:45:11 EDT
Discussed at 2011-04-15 blocker review meeting. On criteria, this is a non-blocker, as we don't have security criteria, though we maybe should. On its merits, we still feel probably not a blocker, as it's a local DoS vuln, and we've shipped releases with enough of those in the past; most general-purpose Linux distros don't really commit, practically speaking, to trying really hard to ensure there are absolutely no local DoS holes in a default install.

So, accepted NTH, rejected blocker. We could discuss this in more detail in a generic discussion of potential security criteria.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 13 Fedora Update System 2011-04-21 22:20:41 EDT
lockdev-1.0.3-10.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.