Bug 16164 - netreport may be used to truncate existing files.
netreport may be used to truncate existing files.
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: initscripts (Show other bugs)
6.2
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Bill Nottingham
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-08-14 10:21 EDT by Robbert Heederik
Modified: 2014-03-16 22:15 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-08-14 10:22:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robbert Heederik 2000-08-14 10:21:59 EDT
redhat-release: Red Hat Linux release 6.2 (Zoot)
package:	initscripts-5.00-1
uname: Linux xxx 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown

/sbin/netreport (setgid root) doesn't check the existence
of the /var/run/netreport/<pid> file it creates.  If this file
is replaced by a symbolic link, the target file is truncated:

[root@kwek /root]# cd /var/run/netreport
[root@kwek netreport]# ls -la
total 8
drwxrwxr-x    2 root     root         4096 Aug 14 16:16 .
drwxr-xr-x    5 root     root         4096 Aug 14 14:22 ..
[root@kwek netreport]# echo 1 2 3 4 > /etc/example
[root@kwek netreport]# ls -la /etc/example
-rw-r--r--    1 root     root            8 Aug 14 16:18 /etc/example
[root@kwek netreport]# ln -s /etc/example $$
[root@kwek netreport]# ls -la
total 8
drwxrwxr-x    2 root     root         4096 Aug 14 16:18 .
drwxr-xr-x    5 root     root         4096 Aug 14 14:22 ..
lrwxrwxrwx    1 root     root           12 Aug 14 16:18 2733 ->
/etc/example
[root@kwek netreport]# /sbin/netreport
[root@kwek netreport]# ls -la
total 8
drwxrwxr-x    2 root     root         4096 Aug 14 16:18 .
drwxr-xr-x    5 root     root         4096 Aug 14 14:22 ..
lrwxrwxrwx    1 root     root           12 Aug 14 16:18 2733 ->
/etc/example
[root@kwek netreport]# ls -la /etc/example
-rw-r--r--    1 root     root            0 Aug 14 16:18 /etc/example

from netreport.c:

    sprintf(netreport_name, "/var/run/netreport/%d", getppid());
    if (action == ADD) {
        netreport_file = creat(netreport_name, 0);

This is not a direct security problem (hence running the example as root),
but it would be when the permissions of the /var/run/netreport directory
(775) where somehow changed so that others could create files in that
directory.

As netreport is a setgid binary, I feel that it should be more careful when
creating files.
Comment 1 Nalin Dahyabhai 2000-08-15 16:06:02 EDT
Resolved in initscripts-5.45.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.