Bug 681898
Summary: | DON'T make /var/lock/lockdev world writeable (security issue) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Görig <jgorig> |
Component: | lockdev | Assignee: | Jiri Popelka <jpopelka> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 15 | CC: | awilliam, jpopelka, kzak, lpoetter, mschmidt, samuel-rhbugs, tflink |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | RejectedBlocker AcceptedNTH | ||
Fixed In Version: | lockdev-1.0.3-10.fc15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-04-22 02:20:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 657621 |
Description
Jan Görig
2011-03-03 14:41:14 UTC
Package lockdev-1.0.3-9.fc15: * should fix your issue, * was pushed to the Fedora 15 updates-testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lockdev-1.0.3-9.fc15' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/lockdev-1.0.3-9.fc15 then log in and leave karma (feedback). lockdev-1.0.3-9.fc15 has been pushed to the Fedora 15 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lockdev'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/lockdev-1.0.3-9.fc15 lockdev-1.0.3-9.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. This is a gaping security hole. We do not want to allow normal users to fill up /var or /var/run. We do not want a any further /tmp with unrestricted access to the user. With this in place normal users can fill up the fs trivially thus making it impossible for system software to lock things. Additional world-writable directories are really not acceptable. Access to this directory should be allowed only through the lockdev setgid tool and the lock dir should be writable to the group "lock" only, so that random people cannot write things here uncontrolled. The lockdev utility should ensure that only valid device names. Reopening. Also, the dir cannot be sticky: https://bugzilla.redhat.com/show_bug.cgi?id=145264#c1 Discussed at the 2011-04-01 blocker bug review meeting. We feel that this is not a serious enough security issue to be a beta blocker. Rejected as blocker for F15Beta, will be re-visited as a final blocker. Thanks for the description Lennart, I'll revert the change and also remove the /etc/tmpfiles.d/lockdev.conf completely (bug #692714). lockdev-1.0.3-10.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/lockdev-1.0.3-10.fc15 Package lockdev-1.0.3-10.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lockdev-1.0.3-10.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/lockdev-1.0.3-10.fc15 then log in and leave karma (feedback). (BTW, sorry for sounding that harsh in my first comment) Discussed at 2011-04-15 blocker review meeting. On criteria, this is a non-blocker, as we don't have security criteria, though we maybe should. On its merits, we still feel probably not a blocker, as it's a local DoS vuln, and we've shipped releases with enough of those in the past; most general-purpose Linux distros don't really commit, practically speaking, to trying really hard to ensure there are absolutely no local DoS holes in a default install. So, accepted NTH, rejected blocker. We could discuss this in more detail in a generic discussion of potential security criteria. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers lockdev-1.0.3-10.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |