Bug 11870 – Gkermit can read or write to any file writable by group uucp

Bug 11870 - Gkermit can read or write to any file writable by group uucp

Summary:	Gkermit can read or write to any file writable by group uucp

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	gkermit (Show other bugs)
Sub Component:
Version:	6.2
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Nalin Dahyabhai
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2000-06-02 18:08 EDT by SB
Modified:	2008-05-01 11:37 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2000-07-24 17:36:27 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description SB 2000-06-02 18:08:29 EDT

[root@king may26]# ls -al /usr/bin/gkermit
-rwxr-sr-x    1 root     uucp        31484 May 10 15:08 /usr/bin/gkermit

The problem?G-Kermit CU-1.00, Columbia University, 1999-12-25: POSIX.
Usage:  gkermit [ options ]
Options:
 -r      Receive files
 -s fn   Send files
 -g fn   Get files from server
 -a fn   As-name for single file
 ...
 -w      Write over existing files with same name
 -K      Keep incompletely received files
 ...
 -X      External protocol
 -q      Quiet (suppress messages)
 -d [fn] Debug to ./debug.log [or specified file]
 -h      Help (this message)

It does all those things but never drops permissions! For example:

[user@king /tmp]$ id
uid=200(user) gid=100(users) groups=100(users)
[user@king /tmp]$ ls -al /var/log/uucp/log
-rw-rw----    1 uucp     uucp            0 Jun  2 18:01 /var/log/uucp/log
[user@king /tmp]$ gkermit -d /var/log/uucp/log
[user@king /tmp]$ ls -al /var/log/uucp/log          
-rw-rw----    1 uucp     uucp          282 Jun  2 18:04 /var/log/uucp/log
[user@king /tmp]$ cat /var/log/uucp/log      
cat: /var/log/uucp/log: Permission denied
[user@king /tmp]$ su
Password:
[root@king /tmp]# cat /var/log/uucp/log     
G-Kermit CU-1.00, Columbia University, 1999-12-25: POSIX
MAXPATHLEN = 1024
cmdlin action = (none)
ttopen __STDC__
ttopen SIG_V
ttopen nonblocking read/write
ttopen TINBUFSIZ = 4080
ttopen xonxoff = 0
ttopen noxonxoff = 0
ttopen ttflags 2
ttopen nomodes 0
ttopen nonblock = 1
exit 0
[root@king /tmp]# 

See it will write to any file writable by user uucp, and it
gets worse. Take for example /etc/uucp/passwd:
[root@king rawhide]# ls -al /etc/uucp/passwd
-rw-r-----    1 root     uucp          323 Mar  7 05:39 /etc/uucp/passwd

Using gkermit anyone could send that file anywhere because it
is readable by group uucp and therefore gkermit will gladly send
it.  Gkermit either needs to drop permissions before performing
any operations dealing with files or it needs to lose the setgid
uucp.  Either way it presently will give away uucp passwd file
which is bad enough by itself.  Due to you guys making no files
writable by group uucp by default, the scope of this problem is
mostly just reading files instead of writing to them which is
a good thing when you think about it ;)

-Stan Bubrouski

Comment 1 Chris Evans 2000-07-24 16:27:30 EDT

See bug #14539 - this may be nastier than it seems
Upgrading severity to security

Comment 2 SB 2000-07-24 17:36:27 EDT

Removing sgid uucp fixes both I believe, though I agree with the changes
Solar Designer suggests in bug #14539

Comment 3 Bill Nottingham 2000-08-21 18:51:34 EDT

gkermit is not setgid uucp in the latest packages.

Note You need to log in before you can comment on or make changes to this bug.