Bug 11870 - Gkermit can read or write to any file writable by group uucp
Summary: Gkermit can read or write to any file writable by group uucp
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gkermit   
(Show other bugs)
Version: 6.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-06-02 22:08 UTC by SB
Modified: 2008-05-01 15:37 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-07-24 21:36:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description SB 2000-06-02 22:08:29 UTC
[root@king may26]# ls -al /usr/bin/gkermit
-rwxr-sr-x    1 root     uucp        31484 May 10 15:08 /usr/bin/gkermit

The problem?G-Kermit CU-1.00, Columbia University, 1999-12-25: POSIX.
Usage:  gkermit [ options ]
 -r      Receive files
 -s fn   Send files
 -g fn   Get files from server
 -a fn   As-name for single file
 -w      Write over existing files with same name
 -K      Keep incompletely received files
 -X      External protocol
 -q      Quiet (suppress messages)
 -d [fn] Debug to ./debug.log [or specified file]
 -h      Help (this message)

It does all those things but never drops permissions! For example:

[user@king /tmp]$ id
uid=200(user) gid=100(users) groups=100(users)
[user@king /tmp]$ ls -al /var/log/uucp/log
-rw-rw----    1 uucp     uucp            0 Jun  2 18:01 /var/log/uucp/log
[user@king /tmp]$ gkermit -d /var/log/uucp/log
[user@king /tmp]$ ls -al /var/log/uucp/log          
-rw-rw----    1 uucp     uucp          282 Jun  2 18:04 /var/log/uucp/log
[user@king /tmp]$ cat /var/log/uucp/log      
cat: /var/log/uucp/log: Permission denied
[user@king /tmp]$ su
[root@king /tmp]# cat /var/log/uucp/log     
G-Kermit CU-1.00, Columbia University, 1999-12-25: POSIX
cmdlin action = (none)
ttopen __STDC__
ttopen SIG_V
ttopen nonblocking read/write
ttopen TINBUFSIZ = 4080
ttopen xonxoff = 0
ttopen noxonxoff = 0
ttopen ttflags 2
ttopen nomodes 0
ttopen nonblock = 1
exit 0
[root@king /tmp]# 

See it will write to any file writable by user uucp, and it
gets worse. Take for example /etc/uucp/passwd:
[root@king rawhide]# ls -al /etc/uucp/passwd
-rw-r-----    1 root     uucp          323 Mar  7 05:39 /etc/uucp/passwd

Using gkermit anyone could send that file anywhere because it
is readable by group uucp and therefore gkermit will gladly send
it.  Gkermit either needs to drop permissions before performing
any operations dealing with files or it needs to lose the setgid
uucp.  Either way it presently will give away uucp passwd file
which is bad enough by itself.  Due to you guys making no files
writable by group uucp by default, the scope of this problem is
mostly just reading files instead of writing to them which is
a good thing when you think about it ;)

-Stan Bubrouski

Comment 1 Chris Evans 2000-07-24 20:27:30 UTC
See bug #14539 - this may be nastier than it seems
Upgrading severity to security

Comment 2 SB 2000-07-24 21:36:27 UTC
Removing sgid uucp fixes both I believe, though I agree with the changes
Solar Designer suggests in bug #14539

Comment 3 Bill Nottingham 2000-08-21 22:51:34 UTC
gkermit is not setgid uucp in the latest packages.

Note You need to log in before you can comment on or make changes to this bug.