Red Hat Bugzilla – Full Text Bug Listing
|Summary:||DON'T make /var/lock/lockdev world writeable (security issue)|
|Product:||[Fedora] Fedora||Reporter:||Jan Görig <jgorig>|
|Component:||lockdev||Assignee:||Jiri Popelka <jpopelka>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||15||CC:||awilliam, jpopelka, kzak, lpoetter, mschmidt, samuel-rhbugs, tflink|
|Fixed In Version:||lockdev-1.0.3-10.fc15||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-04-21 22:20:51 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Jan Görig 2011-03-03 09:41:14 EST
Description of problem: The lockdev uses /var/lock/lockdev for locking instead of /var/lock (introduced in #581884). /var/lock/lockdev contains only device locks that are world writeable using lockdev utility. This directory should be world writeable (1777) directly. Version-Release number of selected component (if applicable): lockdev-1.0.3-8.fc15
Comment 1 Fedora Update System 2011-03-03 10:16:39 EST
Package lockdev-1.0.3-9.fc15: * should fix your issue, * was pushed to the Fedora 15 updates-testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lockdev-1.0.3-9.fc15' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/lockdev-1.0.3-9.fc15 then log in and leave karma (feedback).
Comment 2 Fedora Update System 2011-03-04 05:06:21 EST
lockdev-1.0.3-9.fc15 has been pushed to the Fedora 15 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lockdev'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/lockdev-1.0.3-9.fc15
Comment 3 Fedora Update System 2011-03-09 22:06:23 EST
lockdev-1.0.3-9.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Lennart Poettering 2011-03-31 16:52:05 EDT
This is a gaping security hole. We do not want to allow normal users to fill up /var or /var/run. We do not want a any further /tmp with unrestricted access to the user. With this in place normal users can fill up the fs trivially thus making it impossible for system software to lock things. Additional world-writable directories are really not acceptable. Access to this directory should be allowed only through the lockdev setgid tool and the lock dir should be writable to the group "lock" only, so that random people cannot write things here uncontrolled. The lockdev utility should ensure that only valid device names. Reopening.
Comment 5 Lennart Poettering 2011-03-31 17:06:40 EDT
Also, the dir cannot be sticky: https://bugzilla.redhat.com/show_bug.cgi?id=145264#c1
Comment 6 Tim Flink 2011-04-01 14:13:03 EDT
Discussed at the 2011-04-01 blocker bug review meeting. We feel that this is not a serious enough security issue to be a beta blocker. Rejected as blocker for F15Beta, will be re-visited as a final blocker.
Comment 7 Jiri Popelka 2011-04-04 04:24:51 EDT
Thanks for the description Lennart, I'll revert the change and also remove the /etc/tmpfiles.d/lockdev.conf completely (bug #692714).
Comment 8 Fedora Update System 2011-04-05 08:49:05 EDT
lockdev-1.0.3-10.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/lockdev-1.0.3-10.fc15
Comment 9 Fedora Update System 2011-04-05 16:25:15 EDT
Package lockdev-1.0.3-10.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lockdev-1.0.3-10.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/lockdev-1.0.3-10.fc15 then log in and leave karma (feedback).
Comment 10 Lennart Poettering 2011-04-06 14:41:04 EDT
(BTW, sorry for sounding that harsh in my first comment)
Comment 12 Adam Williamson 2011-04-15 15:45:11 EDT
Discussed at 2011-04-15 blocker review meeting. On criteria, this is a non-blocker, as we don't have security criteria, though we maybe should. On its merits, we still feel probably not a blocker, as it's a local DoS vuln, and we've shipped releases with enough of those in the past; most general-purpose Linux distros don't really commit, practically speaking, to trying really hard to ensure there are absolutely no local DoS holes in a default install. So, accepted NTH, rejected blocker. We could discuss this in more detail in a generic discussion of potential security criteria. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Comment 13 Fedora Update System 2011-04-21 22:20:41 EDT
lockdev-1.0.3-10.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.