Bug 34933 - netreport function in network-scripts seems to be insecure
Summary: netreport function in network-scripts seems to be insecure
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: initscripts
Version: 6.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2001-04-06 01:12 UTC by lumpy_
Modified: 2014-03-17 02:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2001-04-06 16:00:05 UTC

Attachments (Terms of Use)

Description lumpy_ 2001-04-06 01:12:02 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386)

it seems that netreport and the network-scripts allow arbitrary pid killing

Reproducible: Didn't try
Steps to Reproduce:

	from man 7 signal:
1.      SIGIO       23,29,22     A      I/O now possible (4.2 BSD)
      The letters in the  "Action"  column  have  the  following

       A      Default action is to terminate the process.

(note that on bsd the sigio is discarded by default)

2. ls -l /sbin/netreport
        -rwxr-sr-x    1 root     root         3860 Mar 13 14:41
(which creates pid files in /var/run/netreport/
        drwxrwxr-x    2 root     root         4096 Apr  5 18:17 netreport
(which has files such as this created when you run it)
        ----------    1 lumpy    root            0 Apr  5 18:15 19769
        ----------    1 lumpy    root            0 Apr  5 18:17 19968
(note that the pid file is not removed automagically.  i tested this by
 executing sh, running netreport, exiting the shell, and ls'ing again)

These files are apparently used by:
3. /etc/sysconfig/network-scripts/network-functions

this script contains the following function:

do_netreport ()
  # Notify programs that have requested notification
  ( cd /var/run/netreport || exit
    for i in * ; do
      [ -f $i ] && \
        kill -SIGIO $i >/dev/null 2>&1 || \
          rm -f $i >/dev/null 2>&1

So it looks like you should be able to kill arbitrary processes.

Im new to linux, but not unix.  I have to rely on the manpages, as this
box is not mine and i really dont want to crash it.  What do you guys
think?  Is this a known issue that i just didnt know about?

Actual Results:  i couldnt test -- couldnt kill the box because it was in

Expected Results:  that arbitrary processes created with pids from stale
netreports would be killed

Comment 1 Daniel Roesen 2001-04-06 08:15:02 UTC
Yep. I agree to the analysis. You don't have control over which process gets
killed, but it's serious anyway I think. But sadly I see no workaround :-(

Comment 2 lumpy_ 2001-04-06 15:35:08 UTC
There is one way that you could do it easilly but im not sure it would fully
resolve the
security issues.  (Note that i just woke up :)):

	If you set your user id to that of the user who created the file before killing
	process... that way when its not your process it wont let you send SIGIO.

Comment 3 Bill Nottingham 2001-04-06 18:03:46 UTC
Will be fixed in 5.83-1.

Note You need to log in before you can comment on or make changes to this bug.